New comment by sgn on void-packages repository

https://github.com/void-linux/void-packages/pull/23472#issuecomment-655821350

Comment:
On 2020-07-08 11:06:38-0700, Piotr <notifications@github.com> wrote:
> Is varying checksum only reason? Contents checksum can be used then.

Yes, contents checksum can be used to verify all GitHub tarbals.
While we're switch to content checksum, we may as well switch to the
tarball signed by keybase. So, if anything shady in the tarball,
we can go straight (ehem) blame them instead GitHub.

Let's say about this theory:
- Some bad guys has control of the machine GitHub used to generate tarball,
  and decided to always put a specific file in some specific repo,
- Content checksums is the always the same but it's not the tarball we
  want.

In addition:

- Keybase is supposed to be a security software, so I think it's
  better to double check the checksum with the upstream developer
  before submit to Void

-- 
Danh