I've noticed an inconvenient edge case in crates-io that makes released crates mutable, and doesn't allow assuming that a checksum of an existing crate will never change:
I'm posting here to make it more visible, but please reply on GitHub to avoid splitting the discussion.