Update on the future stability of source code archives and hashes

On January 30, 2023, GitHub implemented a change that altered the compression settings for source code downloads, resulting in unexpected consequences for several communities due to changes in the byte layout of archives, affecting checksums and hashes. GitHub promptly reverted the change and acknowledged the need for clearer communication and testing to prevent similar occurrences in the future. Going forward, GitHub committed to maintaining byte-for-byte stability of source downloads for at least one year and promised to give six months' notice before any format changes, barring critical vulnerabilities. They recommend using commit IDs for reproducibility and suggest switching to release assets for security to avoid issues with checksums. The platform also plans to update its documentation to reflect these commitments while engineering workarounds for minor deficiencies in the current system.