Per discussion with Denis today, we could:

• check REMOTE sha256sum before pulling down a new JBDS jar; this will allow us to only fetch a new jbds.jar if the SHAs don't match because a new CI build is available

• re-enable creation of sha256sum after a download (so that we don't have to create them every time we want to compare to a remote one

• switch json to use nightly for CDK, vbox, jbds, so builds will use the latest CI

• add cmdline flag to use the values in requirements.json vs. nightly latest CI, so it's easy to switch between a CI-based build and a statically-defined list of deps

• add url-latest in requirements.json so that for requirements that have a CI or latest URL, we know where to pull the nightly; this would obviate the need to pass in the URLs via commandline, or to have to toggle between stable/staging and snapshot/CI every time we want to run one type of build or the other