20 Feb
2015
20 Feb
'15
9:50 a.m.
Hi On Thu, Feb 19, 2015 at 2:24 PM, Lukas Jirkovsky <l.jirkovsky@gmail.com> wrote:
On 19 February 2015 at 21:42, Doug Newgard <scimmia@archlinux.info> wrote:
You can't. If upstream provides a checksum, that gives you some verification, but since github doesn't, there's no way to verify any of it.
I don't know about github, but with bitbucket the checksums of these generated tarballs may change occasionally as I had this issue with luxrender.
Any project that uses JGit (like Gerrit used by chromium) has this problem as well. https://bugs.eclipse.org/bugs/show_bug.cgi?id=445819
However, the sources were always the same, it was the metadata that changed.