Past and recent discussion in our IRC channel and on the mailing list
show that we can not rely on tarballs on github keeping the same
hash forever.
According to github they are "generated on demand", leading to
regular hash mismatches.

Since some of our own dependencies are on github (at the very least
guile-git), we need to come up with a solution.

Right now we have around 449 packages with tarball sources from
github in our gnu/packages.
We could:

- Move them all to use git-download and just use
  the commit that has been tagged in the versions that produce
  the tarballs on github.

- Mirror the content somewhere reliable in snapshots for
  some time. Problem here: we start to rely on this "somewhere"
  to be trustworthy and introduce one more point to trust
  (however due to pre-recorded hash sum this is just an annoyance,
  not a grave issue).

- Your idea here.

-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.krosos.org/dist/keys/
https://www.infotropique.org https://krosos.org