> This would change the pkgsums, wouldn't it? Not saying that's enough > (it's often skipped for git packages) but worth noting.
It would also trigger diff since there technically is a difference in the URL. However, for the uneducated user it may be hard to understand why diff would flag two seemingly identical URLs. And of course, there is the risk of people who freshly install the package to run into this issue. All of this assumes that people read PKGBUILDs in the first place. The previous large-scale malware attacks seemed to aim at people that do not read them, may it be due lack of awareness or convenience. There is perhaps an educational issue here, rather than an technical. But I agree, for those that actually *do* read them it had be nice to equip them with better means of detecting/explaining Homograph attacks, perhaps similar to how browsers are using Punycodes. I don't know if any of this is sufficient to treat "defence-in-depth via automated PKGBUILD scanners" as absolutely mandatory, especially since we had yet to discuss how the actual "scanning" had look like. There seems to be some attempts of heuristic-based scanning being discussed lately in the mailing list but they will need more time to mature. A solution as simple as banning all "untypical" characters would probably backfire. One particular example I can think of is how german "Umlaute" are allowed to be used in domains and are used by legitimate parties as well.
