when developing bandersnatch I saw some checksum errors for the md5sums
of downloaded package files that I didn't understand.
I just saw another one and just want to check back whether this is
true: I can go to PyPI, delete a package version, and upload a
different file later.
This would explain that I can see a file that I downloaded successfully
changing it's hash over time.
Feels like a bad idea to me, but I guess this is part of the "PyPI
doesn't have an oppinion" deal …