On 5/28/26 11:09 PM, Mark Hegreberg wrote:
The expectation of the AUR is that users vet upstream software, and
read the PKGBUILD, right? If you do this, none of the malicious
packages I've seen would have affected you. I worry building any
kind of fomal vetting or reputation system for aur packages will
look like a defacto endorsement of the packages themselves, which i
don't think we're trying to do.
Correct me if I'm missing something, but I dont see the value in
anything past letting your AUR helper show you diffs, which the ones
I've used all do. Anything else we do raises the barrier for
community AUR contributions, and won't provide meaningful warranty
or security. Mark
Well, you may be shooting a little wide.
Adding protection against malicious activity in AUR isn't to protect the
gifted and diligent users, but rather it is to protect the reputation of
AUR and all users.
With the increase in supply chain attacks and package poisonings, it
would simply be negligent not to explore options for tightening security
against malicious commits on AUR.
Two poisoned packages in as many days, that we know about, is a wakeup
call. AUR security is basically what it was in 2009, the threats AUR and
every package repository face on a daily basis has grown by orders of
magnitude.
It would serve Arch, and us all, well to ensure AUR's protections keep
pace with the threats it faces. The status quo isn't an option, and I
wish that were not the case, but it is.
I have a hard time understanding the argument for leaving AUR vulnerable
to the current abuses we have seen? That just helps the bad-actors
poison more packages and spread more malware.
I don't want to see that happen and I don't want to see our good
moderators get burned out spending time fixing poisoned packages if that
can be prevented in the first place.
That's my cut on it, am I missing something?
I think it would be productive to create a RFP for discussion. I'm not
sure who does that, but that would provide a way to capture the ideas,
for and against, in a forum better suited to the task. It would also
collect in one place the ideas (as opposed to going back and forth to
post in a couple of threads)
Hopefully one of the moderators can do that or elevate it to the folks
that do it.
--
David C. Rankin, J.D.,P.E.
