It's always possible for a package maintainer to act maliciously, in both cases! You can edit the main source code, and upload it anywhere. Calculate its digest. Sign it with your own malicious key and upload your public key to keyservers. Then in your PKGBUILD, you put the address of your own uploaded source code to be fetched, its previously calculated hash to be checked and finally the fingerprint of your own malicious key to be retrieved from keyserver. Or simply include the PGP public key file alongside the PKGBUILD. At the end, upload your evil PKGBUILD to AUR with a fake name. Happy hacking, dear one! But I admit! Without the PGP key, there will be one more manual step required before a package can be built. Increasing the chance to disclose package maintainer's kinkiness! -- Best Regards, Abraham Sent with Tutanota; https://tuta.com