There are two kinds of tarballs on GitHub. Maintainer provided tarballs and auto-generated source tarballs. Maintainer provided tarballs from https://github.com/USER/PROJECT/releases/...
URLs are okay to use with checksum validation. However the auto-generated ones you're using here are not, GitHub reserves the right to regenerate them while not preserving byte-by-byte stability if they discover any issues with archive generation. They also only pledge byte-for-byte stability until 2024-02-21 after their last large package reproducibility incident this January.
Sources:
Enough reasons?
This is a bad idea. https://github.com/USER/PROJECT/archive/...
URLs are unstable, GitHub may regenerate these archives with different checksums, breaking the build.
Nagy Tibor (1f18a090) at 08 Dec 22:52
Nagy Tibor (ca0d4274) at 06 Dec 18:56
Nagy Tibor (a35291a7) at 06 Dec 18:51
Patch dependencies harder
Nagy Tibor (ca0d4274) at 06 Dec 18:38
Nagy Tibor (927df0de) at 06 Dec 18:31
Patch dependencies harder
Nagy Tibor (044655ca) at 06 Dec 18:30
Patch dependencies harder
Nagy Tibor (c05efe79) at 06 Dec 18:25
Patch dependencies harder
Nagy Tibor (9cc0229c) at 06 Dec 18:22
Patch dependencies harder
Nagy Tibor (f465d541) at 06 Dec 18:18
Patch dependencies harder
Nagy Tibor (2c1a6a7a) at 06 Dec 18:10
Patch dependencies harder
Nagy Tibor (7aa2a2ff) at 06 Dec 17:02
Release 0.19.0 - wgpu backend, repaint_after, continue-after-close