Been saying this the whole day now, GitHub really needs an automated diff / A/B check-up on tarballs against the actual repo, flag everything with at least a warning (+[insert additional scrutiny steps here]) when the tarball isn't matching the repo.