Hi hashworks, some findings while I looked over your packages: Tiny side notes: nothing that really changes but I noticed you added some prefixed sources like ${pkgname}-${pkgver}.tar.gz:: to github urls, just wanted to make you aware github understands the following pattern: source=("${url}/archive/v${pkgver}/${pkgname}-${pkgver}.tar.gz") I've seen lots of .gitignore that contain "*.tar.*" and thought maybe worth mentioning the existence of SRCDEST and PKGDEST which IMO is super handy compared to spitting out stuff into CWD. I've nearly never seen the distribution of README.md when it contains some useful bits that may help people in /usr/share/doc/${pkgname} not like that's a requirement or such, but can sometimes be super useful. brickstrap-git: - should distribute the man page it stores in docs by processing it via pandoc --standalone --to man docs/brickstrap.md > docs/brickstrap.1 certbot-dns-hetzner: - uses setuptools entry_point so python-setuptools is a first level hard dependency - missing hard requires on python-requests and python-zope-interface as used in the modules certbot-dns-hetzner-git: - same as certbot-dns-hetzner dns-zone-blacklist-git: - doesn't properly distribute a license declaration but just a comment about the json that declares the license type. Please distribute something in the licenses folder and ask upstream to provide a license file in tree filebin: - downloads all submodules all the time, must be declared in the source=() array and the url of the submodules updated to reflect the dependencies like f.e. mono does. kiwix-desktop-git: - the qmake file doesn't understand CPPFLAGS, you need to add that as a workaround to the regular flags to enable fortified sources - didn't have time, but does PREFIX really need to contain ${pkgdir}? libzim: - should add explicit nepends on zstd as in fact it gets enabled automatically and hence is a hard dependency mustache: - project contains the tests via cmake that can be called in check() to ensure stuff most likely will work pam-ihosts: - does not respect CPPFLAGS nor LDFLAGS leading to unfortified binary without full RELRO as namcap also complains - declares -fno-stack-protector... excuse me? ehm just no :D - distributes an empty /usr/bin which isn't desired pam-ihosts-git: - same as pam-ihosts prismatik-bin: - hmm sources exist and a -git package seems to be possible, why not build from source instead? we love sources :) prismatik-psieg-bin: - same as prismatik-bin, more source more love terraformer: - RADME.md looks super useful, maybe worth distributing zimwriterfs: - does this really require gumbo-git, it has like 5 more commits since 2015 compared to repo gumbo-parser. Maybe would make more sense to poke some upstream folks to tag a new version instead? - seems to soon be superseded by zim-tools anyway cheers, Levente