Post Syndicated from original https://lwn.net/Articles/921787/

On January 30, the GitHub blog carried a
brief notice that the checksums of archives (such as tarballs)
generated by the site had just changed. GitHub’s engineers were seemingly
unaware of the consequences of such a change — consequences that were
immediately evident to anybody familiar with either packaging systems or
Hyrum’s law. Those checksums were
widely depended on by build systems, which immediately broke when the
change went live; the resulting impact of
jawbones hitting the floor was observed by seismographs worldwide. The
change has been reverted for now, but it is worth looking at how GitHub
managed to casually break vast numbers of build systems — and why this sort
of change will almost certainly happen again.