We have a couple students currently working for our team creating spack packages, and after the weekend started getting errors for packages that have a patch somewhere in the dependency chain. Packages without patches involved don't seem to have a problem.

Errors end with:
have the same SHA-1 prefix!
I see two other issues opened today that look very similar: #5565 and #5574

The issue was just reported to me a few minutes ago, so I haven't dug in deeply yet, but I suspect this was a bug introduced by 4f8c7d5.

A quick guess is that the new patch hash prefixes are colliding with the hashes for existing packages.