On 5/27/26 8:22 PM, David C Rankin wrote:
You guys/gals are doing a great job, but I suspect we will have to
go do some type of "confirmed identity policy" for all AUR accounts.
+1 for this, although I don't think it's a matter of identity
verification but rather of tracking trust.
Some ideas that come to mind are:
- Tracking ownership of packages through git itself so that helpers can
parse it and show it.
- An adoption queue so that ownership changes have to be approved by mods.
- Some sort of "karma" tracking based on weighted contributions + time
of contributions.
- Automatic analysis and reporting of packages and built binaries (this
is somewhat easier without any internal involvement).
The Web of Trust idea also sounds really interesting.
In any case, I feel like the real question after _if_ something like
this should be implemented is where the line should be drawn so that new
users can contribute without _that_ much of a hassle.
Not an arch TU myself but, should an RFC be started around this topic?
I'd expect it would be a heavy discussion one.
Kindly,
Fermín Olaiz
