Comment by Hackbraten

> A normal PKGBUILD should not download anything programmatically. It should rely on the package manager to download the files listed in the PKGBUILD's source array.

This is generally not true. Look at a PKGBUILD of:

- any Node.js package. You'll see that the `prepare` step downloads the entire transitive dependency tree from NPM. (This is because it has a massive number of leaves and no system package maintainer can curate them all (let alone resolve each one to a single version that works across all dependees).

- any Rust program. Rust uses static linking, so publishing a system-level package for each library would be pointless. Therefore, during `prepare`, `cargo fetch` it is.

> A less than 100% reliable mechanism sure beats the current situation which is "wait for users report on the forum that they have been pwn3d". May I remind that this is the third time AUR-hosted PKGBUILDs have been compromised?

Are you going to pay the monthly token bill?