We very much need to find a solution for preventing malicious packages. My idea 
is to give each new user a "score", if a user makes a commit and there score is 
below some threshold that commit must be manually reviewed. When these commits 
then influence the user's score. For example, if a new user makes a simple 
commit (like updating the version of a package) their score might go up by one 
or not change at all. On the other hand, if they add a new package or make a 
major update to a package, their score would go up by more. That way a 
malicious user would need to actually make meaningful commits, which is harder 
to automate and at least does some good for the aur. I have said this idea 
already around 2 weeks ago and I am bringing it up again because it seems 
relevant. The problem with just flagging the first 10 commits is that its not 
very hard to automate updating the version of 10 packages. Or flagging commits 
for a week would just result in people waiting a week before making malicious 
commits.

Reply via email to