On Fri, 26 Jun 2009 08:41:49 -0400 Daenyth Blank <[email protected]> wrote:
> On Thu, Jun 25, 2009 at 23:05, Xyne<[email protected]> wrote: > >> Principally you are right, but pressing a button "report malicious > >> package" could or should send an e-mail to this mailing list or to > >> every TU automatically. This would be the easiest way for the > >> users. > > > > That could lead to spam. A better system would be similar to the > > out-of-date system that we currently have, with some changes. You > > press the "report malicious package" button, submit a reason, and > > then a messages gets automatically posted to the list. At the same > > time, it also displays on the AUR page and flagged packages can be > > filtered in the search the same way out-of-date packages can. The > > reporter would also be mentioned in the list (to prevent people > > from anonymously flagging packages without reason). > > > > > I'm not sure if I'll be agreed with here, but I think the whole idea > of this feature is not needed. The AUR has been up for how many years, > and I haven't even *heard* of a malicious package. I don't think we > should add features (and spend effort coding, and make the interface > *more* cluttered) unless there is a need for the feature. Well, I found a possible malicious package but didn't investigate further, simple requested deletion/orphanage and re-did it if I remember correctly. The issue there was that the source was downloaded not from the official page but somewhere else and at least re-compressed with a different method. At least compressed it was bigger than the original source but I didn't compare the content. No idea if it really was an attempt at doing something bad or simply something else, but it was suspicious at least. Now you've heard of such a thing ;)
