New comment by bugcrazy on void-packages repository https://github.com/void-linux/void-packages/issues/25062#issuecomment-856359205 Comment: > > I had to change the checksum. > > That's kind of expected. The checksum will change when there is a new commit in `devel`. The distfile url just downloads what's in devel. So whenever there's an update on that branch, it changes checksum with it. I added an `@` as suggested by [Manual.md](https://github.com/void-linux/void-packages/blob/master/Manual.md#optional-variables): > > > If a distfile changes its checksum for every download because it is packaged on the fly on the server, like e.g. snapshot tarballs from any of the https://*.googlesource.com/ sites, the checksum of the archive contents can be specified by prepending a commercial at (@). For tarballs you can find the contents checksum by using the command tar xf --to-stdout | sha256sum. > > I thought it would pass it as being ok even if it changes because I added the @. But I guess it doesn't work that way. ["But shells parse all the time. Worse, the essence of the shell is parsing: the parser and the runner are intimately interleaved and cannot be clearly separated, thanks to the specification. The shell performs several kinds of expansions, automatic filename globbing, and automatic word splitting, in an unintuitive order, requiring users to memorize numerous arbitrary quoting rules in order to achieve what they want. Pages abound where common mistakes are listed, more often than not leading to security holes. Did you know that "$@" is a special case of double quoting, because it will split the arguments into several words, whereas every other use of double quotes in a shell is meant to prevent splitting?"](https://skarnet.org/software/execline/dieshdiedie.html)