from a local file, kinda like requirements.txt, maps name to hash,
either package/module name, or an author/public key name.
This has to be treated specially. If two aliases appear to be the same, but one is fetched a "secure" IPFS hash, it MUST be compared w/ what ever secure hash the two aliases had in common. Otherwise a malicious package could "pretend" that it hash the sha256 that's the same, but provide a bad IPFS hash, and then we'd load the malicous package instead
Example:
from cas.a.jmg.utils import aiter, anext
@@ -20,3 +22,21 @@ Features:
git(?)hub?
init cache:
Loading resources from yourself (package):
sys.modules[__name__] returns a valid module while your are being initalized, even for __main__, though may not work due to it not being a package, but probably can be emulated via __file__
use importlib.resources: https://docs.python.org/3.7/library/importlib.html#module-importlib.resources
> Loaders that wish to support resource reading should implement a get_resource_reader(fullname) method as specified by importlib.abc.ResourceReader.
Hash options:
urn old ietf draft: https://datatracker.ietf.org/doc/draft-thiemann-hash-urn/
