On Jun 26, 2015 9:30 PM, "Kevin Fenzi" kevin@scrye.com wrote:
In the final case, if the checksum differed it meant that the maintainer made a mistake uploading or upstream changed the same release after it was released.
Or somewhere between upstream and us the tarball was modified (someone hacked github, someone gained commit to upstream and then tried top cover their tracks, a malicious package maintainer on our side, etc) This is the case that we definitely want to raise warning flags about.
-Toshio