GitHub announces stance on sha256 stability

&gt; If you rely on stable archives for security (ensuring you don’t accidentally trigger a tarbomb, for example), we recommend you switch to release assets instead of using source downloads.<p>Isn&#x27;t that actually the only way you <i>could</i> get a zipbomb? git-archive will never generate a zipbomb...

I think they&#x27;re being too lenient to be honest. Projects were assuming too much by recording and relying upon those hashes.