manual: Add notes about GitHub and hashes

We can't take hashes from GitHub, unless the tarball has been uploaded by
the maintainer, otherwise it is generated and may change over time,
which renders hash files useless.

[Peter: slightly reword]
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Samuel Martin <s.martin49@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

docs/manual/adding-packages-directory.txt

@@ -441,6 +441,13 @@ provide any hash, or only provides an +md5+ hash, then compute at least one
 strong hash yourself (preferably +sha256+, but not +md5+), and mention
 this in a comment line above the hashes.
 
+.Note
+If +libfoo+ is from GitHub (see xref:github-download-url[] for details), we
+can only accept a +.hash+ file if the package is a released (e.g. uploaded
+by the maintainer) tarball. Otherwise, the automatically generated tarball
+may change over time, and thus its hashes may be different each time it is
+downloaded, causing a +.hash+ mismatch for that tarball.
+
 .Note
 The number of spaces does not matter, so one can use spaces (or tabs) to
 properly align the different fields.