A few issues with this PKGBUILD that should be addressed:

1. Wrong package name. Per AUR submission guidelines, packages shipping prebuilt binaries when sources are available must use the -bin suffix. The Warp client is open source (AGPLv3/MIT) at github.com/warpdotdev/warp, and this package installs prebuilt binaries — so it should be warp-terminal-oss-bin. There is already a warp-terminal-oss-bin package in the AUR; this one is effectively a duplicate.

2. Misleading url field. url= points to https://github.com/warpdotdev/warp, but source= pulls a tarball from github.com/leozeli/warp-terminal-oss-aur/releases. The url field should reflect where the artifact actually comes from, or this should be built from upstream sources directly.

3. Unverifiable binary provenance. sha256sums only verifies that the downloaded file matches what leozeli published — there is no cryptographic link to a specific upstream commit, no signature, and no GitHub Artifact Attestation / SLSA provenance. Users have no way to confirm the binary corresponds to warpdotdev/warp@d0f045c. Given that Warp handles auth tokens, AI API calls, and sees every command typed into the terminal, the bar for trusting an unsigned third-party rebuild is high.

Suggested fixes, in order of preference: - Rewrite as a proper source build using cargo against a pinned upstream tag/commit from warpdotdev/warp (no -bin suffix needed). - Otherwise: rename to -bin, fix the url field, and publish the build workflow with GitHub Artifact Attestations so the binary's provenance is verifiable.

In its current state I'd recommend users prefer warp-terminal-oss-bin or build from upstream directly.

Please note that this package, as it is now, should be called "warp-terminal-oss-bin".

From the AUR submission guidelines: "Packages that use prebuilt deliverables, when the sources are available, must use the -bin suffix."

Binaries are also being pulled from a different repo then the URL field suggests.