Thanks for the replies, I really appreciate the input. *Corey:* yeah that's exactly the idea. LLM as an assistant, not a gatekeeper.
On the cost question that both of you raised, I agree, running a full general-purpose LLM long term would be overkill and expensive. John is right about prompt injection too, and I don't want to downplay it. It's a real problem and an unsolved one industry-wide right now. I think for a proof of concept though, we don't need to overthink it. Here's what I'm thinking: - *Start with Gemini*: I can spare some budget for the initial testing and experimentation. It lets us move fast, see if the idea even works in practice, and figure out what patterns to look for without spending weeks training something first. - Fall back to a fine-tuned or specialized model later. Once we know what works and have a decent dataset of malicious vs clean PKGBUILDs, we can train something lightweight and purpose built. Training a model right now without that data and learnings would be a lot of work for uncertain results. - Use it as one signal among many, alongside static analysis, namcap, and community reporting. Humans still make the final call. So basically: Gemini to prove the concept, specialized model for production. Crawl, walk, run. If anyone's interested in building this POC with me, I'd love to team up. Even just helping collect known malicious PKGBUILDs to test against would be a huge help. Hit me up if you want in. Cheers On Fri, May 29, 2026 at 2:02 PM <[email protected]> wrote: > Greetings, > > first time poster here. Hope I'm doing this right. > > > On Friday, May 29th, 2026 at 10:09, Shyamin Ayesh <[email protected]> wrote: > > > So here's my possibly unpopular suggestion: *what if we used LLMs as a > first-pass filter for AUR submissions?* > > > What worries me most about LLMs in this context is the possibility of > prompt injection. People like Plini (not saying Plini themself) would have > a field day with this. > > Another thing is the dependency on AI, which is currently heavily > subsidized and will become much more expensive in the not so far future. > Yeah, you could have your own "local" model for this, but that costs money, > too. Admittedly I know nothing about the budget of the AUR. > > All that being said, I think it's worth a try. But it needs to be > thoroughly tested for its own vulnerabilities and evaluated regarding the > cost (time and money) versus the benefit. > > > Best, > John > > > -- Shyamin Ayesh mobile: 0775251479 email: [email protected] <http://www.facebook.com/shyaminayesh> <https://twitter.com/shyaminayesh> <https://lk.linkedin.com/in/shyamin> <https://www.instagram.com/shyaminayesh/>
