Given that the intention of homebrew is to be user contributed, and primarily bottled (not from source) , how are submitted bins verified non-malicious?
I say this because although there are clearly well intentioned people, verifying a SHA256 of a bin does not certify the veracity of the src.
So clearly a malicious user could contribute a subtly malicious build with valid SHA digest.
Surely -s (build from source) should be the default. Why are bottles preferred given this weakness?