[pornel]

npm and Cargo use gzipped tarballs.

Tar is an awful format that has multiple ways of specifying file names and file sizes, so there could be some shenanigans happening.

It's also possible to make archives have different content based on case-sensitivity of the file system.

[zahlman]

Ah. Python source distributions are the same, so there may be additional considerations there. Though in general it doesn't seem like there's much concern in the Python ecosystem about that, considering that building them will run arbitrary code anyway....