Yesterday, https://builds.matomo.org/matomo-3.6.0.tar.gz was 15587492 bytes long, with sha256sum 5b7e7356636612e12701ed21421967be5c181a7451c3d907d1404247abe603bb.

Today, https://builds.matomo.org/matomo-3.6.0.tar.gz is 15586963 bytes long, with sha256sum 84afb6d94dca1850d92bc906a8a70dcf504e415384db3ed849df6ca6cbef8ecf.

Naturally, this broke the Arch Linux package, because the downloaded tarball’s integrity is checked, a practice that is common and desirable.

Inspecting the contents of the two tarballs, it looks like the manifest was changed, probably related to #13364.

But why was the the released artefact changed? Releasing a fixed version as 3.6.1 is the correct thing to do, and it looks like that was what was being done, but the 3.6.0 artefact was undoubtedly modified after its release.

I hope this was some kind of mistake, and that changes will be made so that such a thing won’t happen again? An existing build artefact should never, under any circumstances, be modified. In extreme cases perhaps removed, but never modified. That’s what a new point release is for.

One final question, then: is it going to change again (preferably to revert it to the original artefact), or stay as it is now? (That is: should I update the checksums in the AUR package build script and release 3.6.0-2?)