The GitHub releases mirror only stores the latest version of calibre. It is a bad idea to depend on disappearing urls, especially when there is a perfectly good permanent url that is already being used.

I don't see why security is an issue. Source downloads are already checksummed -- though if you want to enhance security, maybe move from md5sum to sha256sum.


But if you want to rely on GitHub downloads for the HTTPS benefits, you can use the git tag archives instead:
https://github.com/kovidgoyal/${pkgname}/archive/v${pkgver}.tar.gz

As the (built or otherwise) localizations are not contained in the source tree, you would also need a snapshot of https://github.com/kovidgoyal/calibre-translations and you'd need to add several build steps (which are already done in the *-git package I maintain in the AUR: https://aur.archlinux.org/packages/calibre-git/ )

Calibre website does not publish a sha* or md5 hash (same for Github btw). I don't think our current package has localizations included if I am not mistaken so I would have to package that anyway.

The localizations are in the package already --they're in /usr/share/calibre/localization/locales.zip
It's pre-built in the tarball at calibre-${pkgver}/resources/localization/locales.zip

That's why I suggested here: https://bugs.archlinux.org/task/46148#comment138545 that the commented-out lines in the PKGBUILD could be removed.


And the sha/md5 checksums I am referring to are the ones generated by the package maintainer... I guess that doesn't work for the initial packaging... (thinking more of people building from ABS...)

sed -i 's/http/https/g' PKGBUILD

calibre's main website can now be accessed over HTTPS, so no need to download from GitHub at all.