python3: Use hash-checking mode when installing host pip packages

In hash-checking mode[1], pip will verify downloaded package archives
(source tarballs in our case) against known SHA256 hashes before
installing the packages.

As a consequence, this requires the use of requirements files[2] and
pinning packages to known versions.

The syntax for package Makefiles has changed slightly;
HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement
specifiers like "foo>=1.0", only requirements file names (which are the
same as package names in the most common case).

This also updates affected packages, in particular:

* python-zipp: "setuptools_scm[toml]" has been split into
  "setuptools-scm toml" to reuse the requirements file for
  setuptools-scm (the extra depends installed by "setuptools_scm[toml]"
  is toml).

* python-pycparser: This previously used ply 3.10, whereas the
  requirements file will now install 3.11.

[1]: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode
[2]: https://pip.pypa.io/en/stable/user_guide/#requirements-files

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

lang/python/python3-package.mk

@@ -194,13 +194,19 @@ PYTHON3_PKG_SETUP_GLOBAL_ARGS ?=
 PYTHON3_PKG_SETUP_ARGS ?= --single-version-externally-managed
 PYTHON3_PKG_SETUP_VARS ?=
 
+PYTHON3_PKG_HOST_PIP_INSTALL_ARGS = \
+	$(foreach req,$(HOST_PYTHON3_PACKAGE_BUILD_DEPENDS), \
+		--requirement \
+		$(if $(findstring /,$(req)),$(req),$(python3_mk_path)host-pip-requirements/$(req).txt) \
+	)
+
 define Py3Build/FindStdlibDepends
 	$(SHELL) $(python3_mk_path)python3-find-stdlib-depends.sh -n "$(PKG_NAME)" "$(PKG_BUILD_DIR)"
 endef
 
 define Py3Build/Compile/Default
-	$(if $(HOST_PYTHON3_PACKAGE_BUILD_DEPENDS),
-		$(call HostPython3/PipInstall,$(HOST_PYTHON3_PACKAGE_BUILD_DEPENDS))
+	$(if $(PYTHON3_PKG_HOST_PIP_INSTALL_ARGS), \
+		$(call HostPython3/PipInstall,$(PYTHON3_PKG_HOST_PIP_INSTALL_ARGS)) \
 	)
 	$(call Python3/ModSetup, \
 		$(PYTHON3_PKG_SETUP_DIR), \