I decided to check out the ninvaders package from RPM Sphere.
Here’s the SRPM: source/ninvaders-0.1.2-1.src.rpm at master · rpmsphere/source · GitHub
Download and unpack it:
wget https://github.com/rpmsphere/source/raw/master/n/ninvaders-0.1.2-1.src.rpm
mkdir ninvaders
cd ninvaders
rpm2cpio ../ninvaders-0.1.2-1.src.rpm | cpio -imdv
Inside you’ll find a spec file, source tarball, and a patch file. Here’s part of the spec file:
Name: ninvaders
Version: 0.1.2
...
URL: http://ninvaders.sourceforge.net/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
It says the source is http://downloads.sourceforge.net/ninvaders/ninvaders-0.1.2.tar.bz2
, which doesn’t exist. The latest version in the ninvaders SourceForge repo is 0.1.1 from 2003.
Fortunately, a search for ninvaders 0.1.2 turns up the site of the original author with a version 0.1.2 from 2022. On that site is an MD5 checksum, which matches the tarball in the SRPM.
$ md5sum ninvaders-0.1.2.tar.bz2
06001676a29efd0b7c538717f2c541f6 ninvaders-0.1.2.tar.bz2
So, the SRPM is ok, but it was not built with the Source0
automatically downloaded at build time (that is how the build systems used by Fedora, RPM Fusion, and Copr work). The 0.1.2 tarball was manually downloaded from the author’s site before building the SRPM.
If the spec file was shared openly in text form, this would be much easier to spot and correct.
Was the ninvaders-0.1.2 RPM built from this SRPM though? Probably, but we don’t know.
What version of Fedora was it built on? We don’t know. They don’t use the dist tag (e.g. fc38
) like Fedora (they don’t have to, but it would be nice to have).
Since I’ve gotten this far, I decided to build ninvaders on Copr. I used the last version of the Fedora spec file from F31 (which the RPM Sphere spec file is also based on) and updated it to 0.1.2 with the correct URL.
Don’t take my word for it—you can review the source repo and the build logs before installing. Pagure even links the specific Copr build from a commit. Hopefully this demonstrates the benefits of using open systems over dumping binaries on GitHub 
By the way, there is a different 0.1.2 in the fork sf-refugees/ninvaders. This fork is used by the gentoo ninvaders package.
Other distro packages (Debian, Ubuntu, openSUSE, and the BSDs) seem to be using the original 0.1.1 with their own patches to fix building on modern systems.