sha256 / sha512 verification
ensure downloads and git trees haven't been tampered with.
in index.json
"sha256": "6b307ea15aab814cb89aa28e2733198aa45f5bacee11f38859fe02ba0cd8e0a1" "sha512": "..."
in cfg.toml
[verify] require_sha_for_curl = false # reject curl pkgs without sha warn_missing_sha = false # warn when any pkg lacks sha