19 Feb
2015
19 Feb
'15
10:24 p.m.
On 19 February 2015 at 21:42, Doug Newgard <scimmia@archlinux.info> wrote:
You can't. If upstream provides a checksum, that gives you some verification, but since github doesn't, there's no way to verify any of it.
I don't know about github, but with bitbucket the checksums of these generated tarballs may change occasionally as I had this issue with luxrender. However, the sources were always the same, it was the metadata that changed.