to walk you through my reasoning, Extracting the two versions of the .deb with tar and doing diff -r diff -r aur-extract/ official-extract/ Binary files aur-extract/control.tar.gz and official-extract/control.tar.gz differ Binary files aur-extract/data.tar.gz and official-extract/data.tar.gz differ Binary files aur-extract/usr/bin/Vital and official-extract/usr/bin/Vital differ Binary files aur-extract/usr/lib/clap/Vital.clap and official-extract/usr/lib/clap/Vital.clap differ Binary files aur-extract/usr/lib/vst/Vital.so and official-extract/usr/lib/vst/Vital.so differ Binary files aur-extract/usr/lib/vst3/Vital.vst3/Contents/x86_64-linux/Vital.so and official-extract/usr/lib/vst3/Vital.vst3/Contents/x86_64-linux/Vital.so differ so the main executable,VST plugin,VST3 plugin,and CLAP plugin have been altered (potential GPLv3 violation?) but I see the official donwload metadata is Feb 18 2023 the bonecountysherif github hosted is Oct 26 2022 so maybe this should just be flagged out of date and what's on the AUR is one of the earlier versions 1.5.1 - 1.5.4, but I still feel there's something dangerous here given someone is claiming this is the official 1.5.5. Sent with Proton Mail secure email. On Sunday, July 20th, 2025 at 11:13 AM, notify@aur.archlinux.org <notify@aur.archlinux.org> wrote:

billGate48 [1] filed a deletion request for vital-synth [2]:

maintainer is self hosting a file source_x86_64=("${pkgname}-${pkgver}-${pkgrel}.deb::https://github.com/bonecountysheriff/${pkgname_deb}/releases/download/${pkgver}/${pkgname_deb}.deb") that is not the same file as they claim it to be https://account.vital.audio/ (you'd need to make an account to verify)

sha512sum gives different results for the 2 different files. If this isn't against the arch package guidelines, it fucking should be

[1] https://aur.archlinux.org/account/billGate48/ [2] https://aur.archlinux.org/pkgbase/vital-synth/