Consider handling checksum changes of existing releases

[birjj]

Description of the feature you are looking for.

Inspired by Azure/terraform-provider-azapi#477, which is currently causing issues with the azapi provider.

Although bad practice, it happens occasionally that the checksums of specific releases are updated in-place. This recently happened to the azapi provider in v1.13.0, and has previously happened to Terraform itself in 0.11.13 and 1.3.9.

The current way that the OpenTofu registry works means that changes to hashes after a release has been created won't be picked up. Instead, a hash mismatch will happen until the affected provider releases a new version.

I'm mostly opening this issue in the hopes of creating official discussion on what OpenTofu's approach to this is. In particular:

1. Should changes in checksums be supported? It goes without saying that changing hashes is bad practice (what if someone has already committed the checksum to their lockfile...), but it happens. Terraform's registry supports changes to hashes, as evidenced by the new shasum in azapi v1.13.0. I fear that these kinds of issues might cause people to switch from OpenTofu to Terraform, as that makes the error go away.

2. If it should be supported, how is that best implemented?

[ghost]

Hello @birjj thank you for this issue! The core team regularly reviews new issues and discusses them, but this can take a little time. Please bear with us while we get to your issue. If you're interested, the contribution guide has a section about the decision-making process.

[cam72cam]

I'm pretty sure this is a duplicate of #278

[birjj]

So it is. My searching missed that - sorry!