New review comment by fosslinux on void-packages repository

https://github.com/void-linux/void-packages/pull/28510#discussion_r570901608

Comment:
I don't think that holds very well, we use tar release tarballs for probably >90% of packages, we don't have any kind of cryptographic proof of authenticity for those.

> This allows the upstream to change the revisions content without any notice.

Is very easy with basically every other distribution method, inc. tars..