They could still be false-positives for new packages, no? As in, I'm
not really seeing your distinction here between fresh vs. existing
packaging.
Yes, there's definitely a risk of false positives.
But if a maintainer were about to upload a new package, or introduced changes to an existing package, that used DEB_BUILD* or DEB_TARGET* instead of DEB_HOST_MULTIARCH, I suspect the usage is most likely incorrect.
Mmm, but unless I'm missing something these could still have false-
positives too? Can you give some concrete examples for this so we
aren't talking too much in the abstract here?