-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I understand that the metadata changed which changed the checksum, > but that doesn't really change the question of what to do with > source code versioning systems that have changing checksums and the > need to supply source code for GPL projects. if i understand you correctly, you want to be able to prove, that a certain source was used in a certain PKGBUILD to generate a certain binary package you are looking at. that kind of security is not built into arch. you cannot even prove that the PKBUILD from abs or svn reflects the one that was used to build that package you have. it is a well-intended question to ask for GPL compliance and provable sources, but that is not happening in arch. its about trust (thats why they are called TU!), and the problem you try to solve ist ill-defined. that aside, i think, that rebuilding packages should be possible (correct checksums etc), but it can fail for a bunch of reasons, so its not the TUs fault mostly. 0,02€ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJU50dJAAoJELKHx5nAxn3sKssIAIj2vyA4vuxvbbmS7mv8z41E vyaCP6gZPWTCi0lA4xEIiRamgIV4QgLYmv7a5BR3xfoOvc/vxTzIOhBWqgigf7Y7 u34vYOCfcUcyKT1pse8mbuOHiTVd78LDanugX/TAkRzwM4y4aq/HXlLaXjiz6LC1 g7Rh9QCzqsMO+a8/KfClQXvIT1od1Frvgxnh5LQqgzZ47iVbkJfNUVbqCBmLVybi vjmdO3Zma5Qq0xiFbR3gAewKMcpl7EBs6svvv82BreHYyQf8VdPKderLtjqhCaR8 bMldKGuaH1RW6oDAmMZNdIANgzmBFs3FmgVfrV/pjHYBvAAe/zcuKGlWQgmfP8Q= =d7Rj -----END PGP SIGNATURE-----