> I think the procedure is: a packager verifies the source and that's it.
> Since a package has a hash of the source, we can be sure that the source
> wasn't changed since it was packaged, so if we find that a package has
> a compromised source, we can blame the packager.

Ah, that sounds good enough. Still, for the sake of completion, it would
be nice for Guix to have support for verifying GPG signed source
archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified
GPG signatures before building.