Automatically warn when "url" and/or "source" fields change in AUR PKGBUILDs

[digg33]

Is your feature request related to a problem? Please describe.

It is widely considered good practice to review the PKGBUILD of an AUR package for potentially malicious activity before installing them. A part of this process is checking that the url for the source tarball points to a legitimate upstream server (or a trusted fork).

After the PKGBUILD script is reviewed and accepted for the first time, and the created package is installed, it seems to me that changes to the url and source fields are rather infrequent in future updates. This is especially true when the fields are parameterized using such variables as $pkgname and $pkgver.

I believe this presents the opportunity for an automated "low hanging fruit" security warning for users of the AUR, when either of these fields change from the previous PKGBUILD during an update.

Describe the solution you'd like

Automatically print a warning to standard error showing the change when an AUR package is about to be updated and a change in the url or source field is found relative to the previous PKGBUILD. Optionally, the user could be prompted y/N before continuing.

Describe alternatives you've considered

None.

Additional context

N/A.

[Rijndael1998]

People sometimes maintain packages from sources they do not own. I believe that if a AUR package is popular, it might incite someone to pull a fast one on you and install malware on your machine while you update. For this reason, I'm in full support of this feature request.