I think that the very same people who never check what's in a tarball are very
unlikely to start checking diffs.
Plus… a malware doesn't have to be obvious, so a superficial check might not
reveal anything at all anyway.
In any case, last time I bumped version to a package I diffed the sources to
see if there was anything obviously strange.
I did this without using git.
--
Salvo Tomaselli
"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei
https://ltworf.codeberg.page/
