project.refs cross-junction tracking for tar sources is problematic

Summary

Having a ref(for tar, this a hash of the tarball) pinned via project.refs for a junctioned tar source is very brittle. If the junction bst file for instance updates the tarball url to a new release, the hash is mismatched and thus fails.

Steps to reproduce

Clone bst-integration https://gitlab.com/BuildStream/buildstream-integration

Manually update the free-desktop junction to the latest 18.08 ref (needed to support the latest bst changes)

Try and build buildstream.bst, it will complain the hash for gzip is wrong

Try and track gzip so it's inline with bst file in the junction, it won't have an effect as the ref is pinned in project.refs

What is the expected correct behavior?

I'm not entirely sure, as this case is less likely to happen with say a git source, unless somehow the pinned ref is deleted from the source.

---