@@ -400,6 +400,13 @@ does not provide any hash, or only provides an +md5+ hash, then compute at
least one strong hash yourself (like +sha1+ or +sha256+, but not +md5+),
and mention this in a comment line above the hashes.
+*Note:* If +libfoo+ is from GitHub (see xref:github-download-url[] for
+details), we can only accept +.hash+ file if the package is a released
+(e.g. uploaded by the maintainer) tarball. Otherwise, the automatically
+generated tarball may change over time, and thus its hashes may be
+different each time it is downloaded, making the +.hash+ file irrelevant
+for that tarball.
+
*Note:* the number of spaces does not matter, so one can use spaces to
properly align the different fields.