On 19 February 2015 at 21:42, Doug Newgard <scimmia@xxxxxxxxxxxxxx> wrote: > You can't. If upstream provides a checksum, that gives you some verification, > but since github doesn't, there's no way to verify any of it. I don't know about github, but with bitbucket the checksums of these generated tarballs may change occasionally as I had this issue with luxrender. However, the sources were always the same, it was the metadata that changed.
