It's going to heavily bottleneck them though. 10 believable commits aren't hard, but imagine doing that at scale. 10 is easy, 100 is hard, 1000 is nearly impossible.
If we only had one account posting malware at any given time I would consider it a victory. -- Borna Punda -------- Original Message -------- From: "Damian Höster" <[email protected]> Sent: 31 May 2026 12:04:29 GMT+02:00 To: [email protected] Subject: Re: Ideas for moderating malicious AUR packages I think it's not a good idea. It makes the attack surface very predictable, and 10 trivial and believable commits are not that hard to do On 5/31/26 11:41, Jack-Benny Persson wrote: > On Sunday, May 31st, 2026 at 03:14, Carson Coder <[email protected]> > wrote: > >> Hi, I had an idea. What if we flagged the first 10 commits from a new user >> for manual review? That way a malicious actor would have to make at least 10 >> good commits, before making a malicious commit. The main downside I can >> think about is that this might add a lot more work for the moderators but >> also it would make making malicious packages harder / take longer. Even >> then, if someone does make 10 good commits and then makes a malicious >> commit, they would have at least contributed 10 good commits. Maybe we could >> even make the number of commits vary from user to user (maybe have some sort >> of system so someone can't just make 10 commits to change the version of a >> package) so that its harder to know how many good commits need to be made. >> >> (this is my first time mailing this list, if I am being stupid please tell >> me nicely) >> > > Hi, I think this is a an excellent idea. Like you said, even if a user makes > a malicious commit after those first 10 commits, at least they contributed > with those commits. And generally speaking, the harder it is to make a > malicious commit, fewer bad actors will have the patience to keep at it. > There will still be bad actors with lots of time and patience, but the bulk > of them might not. > > (This is also my first message to the list, so please be gentle.) > > Best regards, > Jack-Benny Persson
