Bad defense. Attackers will do anything to mask themselves under civilians, even if it means helping in the short term.
-------- Original Message -------- On Sunday, 05/31/26 at 05:35 Carson Coder <[email protected]> wrote: Hi, I had an idea. What if we flagged the first 10 commits from a new user for manual review? That way a malicious actor would have to make at least 10 good commits, before making a malicious commit. The main downside I can think about is that this might add a lot more work for the moderators but also it would make making malicious packages harder / take longer. Even then, if someone does make 10 good commits and then makes a malicious commit, they would have at least contributed 10 good commits. Maybe we could even make the number of commits vary from user to user (maybe have some sort of system so someone can't just make 10 commits to change the version of a package) so that its harder to know how many good commits need to be made. (this is my first time mailing this list, if I am being stupid please tell me nicely)
