New review comment by fosslinux on void-packages repository

https://github.com/void-linux/void-packages/pull/28510#discussion_r570901608

Comment:
I don't think that holds very well, we use tar release tarballs for probably >90% of packages, we don't have any kind of cryptographic proof of authenticity for those.