I was thinking the same, and there is a filesystem that does this, see zero-install.sourceforge.net . The problem is that it can be difficult to put checksums in a path. Without checksums, a malicious developer might replace a library developed by him by something else, and the system won't notice. Sticking PGP signatures to everything, like zeroinstall does, doesn't help, because you want the developer who typed the "include" to do the signing or checksum, not the one who wrote the library.
... I started writing out all the possible path rules that wouldn't work, but found one that does ...: