Hi Personally I would recommend the usage of suspicious-source (from ubuntu-dev-tools?). I believe it already catches this, else asking them to catch it seems very reasonable. ~Niels