Detect url/sha256 mismatch

[cyounkins]

If a maintainer updates a version (and thus the URL) but fails to update the sha256, all tests will pass. Is there any way we can detect this?

Example: NixOS/nixpkgs#215890

See also #429

[SuperSandro2000]

Detecting this is not that trivial and should be caught in review.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/bootstrap-files-updates-amplifiy-exploit-of-any-package-into-exploit-of-every-package/50534/5