https://bugzilla.redhat.com/show_bug.cgi?id=1231318
--- Comment #12 from Mathieu Bridon bochecha@fedoraproject.org --- (In reply to Michael Cronenworth from comment #11)
(In reply to Mathieu Bridon from comment #10)
As a result, Remi is correct, you should not use those URLs.
Bring it up with FPC to change it then.
Well no, the guidelines are entirely correct.
Github provides a mechanism to create tarballs on demand, either from a specific commit revision, or from a specific tag. If the upstream does not create tarballs for releases, you can use this mechanism to produce them. If the upstream does create tarballs you should use them as tarballs provide an easier trail for people auditing the packages.
In this case, upstream does not produce tarballs.
For a number of reasons (immutability, availability, uniqueness), you must use the full commit revision hash when referring to the sources.
This is what Remi told you: if you use the automatically generated tarballs, you must not use the git tag in the URL, you must instead use the full commit hash.