Hi On Thu, Feb 19, 2015 at 2:24 PM, Lukas Jirkovsky <l.jirkovsky@xxxxxxxxx> wrote: > On 19 February 2015 at 21:42, Doug Newgard <scimmia@xxxxxxxxxxxxxx> wrote: >> You can't. If upstream provides a checksum, that gives you some verification, >> but since github doesn't, there's no way to verify any of it. > > I don't know about github, but with bitbucket the checksums of these > generated tarballs may change occasionally as I had this issue with > luxrender. Any project that uses JGit (like Gerrit used by chromium) has this problem as well. https://bugs.eclipse.org/bugs/show_bug.cgi?id=445819 > However, the sources were always the same, it was the > metadata that changed.