On Jun 26, 2015 9:30 PM, "Kevin Fenzi" <firstname.lastname@example.org> wrote:
> In the final case, if the checksum differed it meant that the
> maintainer made a mistake uploading or upstream changed the same
> release after it was released.
Or somewhere between upstream and us the tarball was modified (someone hacked github, someone gained commit to upstream and then tried top cover their tracks, a malicious package maintainer on our side, etc) This is the case that we definitely want to raise warning flags about.