trust 3rd party package manager (e.g. pip, cabal), because we cannot do anything about this.
For simple package that pandocpm install directly, either
point to a particular commit (security by SHA-1 and by our sanitization in pull request of formula)
point to a centralized repo (see #8) that I might create later, under pandoc-extras. In this case it can point to the latest commit. (security by our sanitization in pull request to that repository)
Edit: It almost goes without saying: https should be required in any urls.
Split off from #2:
trust 3rd party package manager (e.g. pip, cabal), because we cannot do anything about this.
For simple package that pandocpm install directly, either
point to a particular commit (security by SHA-1 and by our sanitization in pull request of formula)
point to a centralized repo (see #8) that I might create later, under pandoc-extras. In this case it can point to the latest commit. (security by our sanitization in pull request to that repository)
Edit: It almost goes without saying: https should be required in any urls.