Verification process ota update files

[simbados]

Thanks for the awesome work on bringing OTAs to so many devices.

I have a question regarding the verification of the ota files.
It seems that anyone can create a PR with a new ota file for a device.
For example #915
The user had no track record (recently created) and there is no visible connection to Sonoff.
This seems like a somewhat risky situation where no one really knows if the new firmware is from Sonoff or not.
Maybe I am missing something here and Koenkk has some other ways of verifying that the firmware is from a reputable source?
There is also a post in the home assistant community about this:
https://community.home-assistant.io/t/new-sonoff-trv-firmware/949900

Thanks in advance!

[Koenkk]

Its not check indeed, I think it might be good to ask for the official link in the future

[simbados]

zigpy already has sonoff as an ota provider, all the firmware update urls can be found at:
https://zigbee-ota.sonoff.tech/releases/upgrade.json