It turns out that no, you can't just materialize all the source by simply typing one command. get_reference_source is a rather absurd python script: https://gist.github.com/86abe580675500a35900

It requires your nonsecret AWS account ID as a parameter, but the server it's making requests to is only available inside the EC2 network. They already know who you are, they rented you the damn box! There's no check that the account ID is the one that created the box either. As an added bonus, the input sanitization code allows dashes, as Amazon always displays it, but it passes it along verbatim to a web service that does not.

It takes one package at a time, which must already be installed for it to match the name, and the script is interactive — it always attempts to prompt you for 'Are these parameters correct? Please type 'yes' to continue' even if it's not connected to a TTY.

The web service responds with a unique signed S3 URL that are set to expire 30 minutes in the future, plus or minus a minute or so. It then downloads it to a fixed location: /usr/src/srpm/debug/

Most of this could be alleviated by just hacking up the shitty python script, but still, this is ridiculous. Why did they do it at all?