On Jun 26, 2015 9:30 PM, "Kevin Fenzi" <kevin(a)scrye.com> wrote:
In the final case, if the checksum differed it meant that the
maintainer made a mistake uploading or upstream changed the same
release after it was released.
Or somewhere between upstream and us the tarball was modified (someone
hacked github, someone gained commit to upstream and then tried top cover
their tracks, a malicious package maintainer on our side, etc) This is the
case that we definitely want to raise warning flags about.
-Toshio