We currently collect the hashsum for package files but not for the package archive itself. If we do this both for dynamic analysis and static analysis, we can then at least check that the analysed tarball is the same between the two types analysis.

For a start, we can do this for static analysis