New review comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/28510#discussion_r570969498

Comment:
The only defenses against this are:

- contench checksum (doesn't work for all packages)
- checking tarball signature
- comparing contents of the cached tarball with old checksum against new tarball