On Jun 26, 2015 9:30 PM, "Kevin Fenzi" <kevin@scrye.com> wrote:

> In the final case, if the checksum differed it meant that the
> maintainer made a mistake uploading or upstream changed the same
> release after it was released.

Or somewhere between upstream and us the tarball was modified (someone hacked github, someone gained commit to upstream and then tried top cover their tracks, a malicious package maintainer on our side, etc)  This is the case that we definitely want to raise warning flags about.