Hello, Just a small note about this, a large number of AUR packages pull tarballs from github (or other git platforms), including all of the source packages I maintain. If the integrity of the autogenerated tarballs from the tags is unreliable, then maybe this should be broken out into a separate thread including aur-general in on it? Currently I have seen no warning about the reliability of autogenerated sources on the ArchWiki, if this is in fact a problem then wouldn't it be a good idea to discuss the addition of a warning onto the ArchWiki, after all, the AUR attempts to follow in the footsteps of the official repositories so if this is a convention used within the official repositories (seen as you are Arch Staff), then surely it should be discussed for the aur? Sorry for interrupting the thread, as I am not a TU/package maintainer therefore shouldn't really be replying to an application for arch staff (package maintainer) however I felt it necessary to point out the fact that the majority of packages do not pin against commits, but against autogenerated sources. One last thing I would like to mention is that git has more overhead, and although packages support the --depth option which is useful for a small handful of commits, traversing the git history (like pinning against a specific commit) requires pulling large amounts of refs, which is bandwidth and cpu intensive, especially if this was to be recommended for the AUR, although a lot of domestic properties now have fibre at gigabit speeds, those who do not have the luxury of high speed internet would definitely be decremented by said suggestion. Also, if you are recommending the use of git for every source package (which of course uses git as its VCS, its not going to work on SVN repositories for example) then surely there should be discussions of including git into base-devel? Again sorry for interrupting a predominately Arch Staff thread, but the content of said email I am responding to could be useful for other parts of the Arch Community, and not just isolated to an application for Maintainer. While I am here, I wish you good luck Tomaz with the votes, and I hope to see you around within the Arch Community :) For everyone else, have a good day and stay safe, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev