New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771882046

Comment:
You regard that as a security violation. The point of checking a code-signing key on ANY operating system is that you want to make sure a reputable person is still signing the releases.

Random changes in the security token are a red flag indicating a compromised security token, unless the old security token has produced a signed message stating that the new security token is legit due to scheduled rotation or onboarding of a new release manager.