to walk you through my reasoning,
Extracting the two versions of the .deb with tar and doing diff -r
diff -r aur-extract/ official-extract/
Binary files aur-extract/control.tar.gz and official-extract/control.tar.gz
differ
Binary files aur-extract/data.tar.gz and official-extract/data.tar.gz differ
Binary files aur-extract/usr/bin/Vital and official-extract/usr/bin/Vital differ
Binary files aur-extract/usr/lib/clap/Vital.clap and
official-extract/usr/lib/clap/Vital.clap differ
Binary files aur-extract/usr/lib/vst/Vital.so and
official-extract/usr/lib/vst/Vital.so differ
Binary files aur-extract/usr/lib/vst3/Vital.vst3/Contents/x86_64-linux/Vital.so
and official-extract/usr/lib/vst3/Vital.vst3/Contents/x86_64-linux/Vital.so
differ
so the main executable,VST plugin,VST3 plugin,and CLAP plugin have been altered
(potential GPLv3 violation?)
but I see
the official donwload metadata is Feb 18 2023
the bonecountysherif github hosted is Oct 26 2022
so maybe this should just be flagged out of date and what's on the AUR is one
of the earlier versions 1.5.1 - 1.5.4, but I still feel there's something
dangerous here given someone is claiming this is the official 1.5.5.
Sent with Proton Mail secure email.
On Sunday, July 20th, 2025 at 11:13 AM, not...@aur.archlinux.org
<not...@aur.archlinux.org> wrote:
> billGate48 [1] filed a deletion request for vital-synth [2]:
>
> maintainer is self hosting a file
> source_x86_64=("${pkgname}-${pkgver}-${pkgrel}.deb::https://github.com/bonecountysheriff/${pkgname_deb}/releases/download/${pkgver}/${pkgname_deb}.deb";)
> that is not the same file as they claim it to be
> https://account.vital.audio/ (you'd need to make an account to verify)
>
> sha512sum gives different results for the 2 different files. If this
> isn't against the arch package guidelines, it fucking should be
>
> [1] https://aur.archlinux.org/account/billGate48/
> [2] https://aur.archlinux.org/pkgbase/vital-synth/
