Actually, with mach-nix, I can see why the --hash=... parsing of requirements.txt is not implemented. I can specify backoff-stubs==1.10.0, and mach-nix will do the integrity check using the hashes in pypi-deps-db, and it will still be reproducible.