freeze_packages: better apply version restrictions on restricted deps

hashin does not react well to package spec collisions:
```
$ touch txt
$ python3 -m hashin -r txt "colorama==0.4.5" colorama
$ cat txt
colorama==0.4.6 \
    --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
    --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
```

This lets pip resolve the version bounds instead.

contrib/freeze_packages.sh

@@ -41,11 +41,15 @@ for suffix in '' '-hw' '-binaries' '-binaries-mac' '-build-wine' '-build-mac' '-
     echo "OK."
 
     requirements=$(pip freeze --all)
+
     restricted=$(echo $requirements | ${SYSTEM_PYTHON} $contrib/deterministic-build/find_restricted_dependencies.py)
-    requirements="$requirements $restricted"
+    if [ ! -z "$restricted" ]; then
+        python -m pip install $restricted
+        requirements=$(pip freeze --all)
+    fi
 
     echo "Generating package hashes... (${reqfile})"
-    rm "$contrib/deterministic-build/${reqfile}"
+    rm -f "$contrib/deterministic-build/${reqfile}"
     touch "$contrib/deterministic-build/${reqfile}"
 
     # restrict ourselves to source-only packages.
@@ -63,10 +67,8 @@ for suffix in '' '-hw' '-binaries' '-binaries-mac' '-build-wine' '-build-mac' '-
         HASHIN_FLAGS="--python-version source"
     fi
 
-    for requirement in $requirements; do
-        echo -e "\r  Hashing $requirement..."
-        ${SYSTEM_PYTHON} -m hashin $HASHIN_FLAGS -r "$contrib/deterministic-build/${reqfile}" "${requirement}"
-    done
+    echo -e "\r  Hashing requirements for $reqfile..."
+    ${SYSTEM_PYTHON} -m hashin $HASHIN_FLAGS -r "$contrib/deterministic-build/${reqfile}" $requirements
 
     echo "OK."
 done