On 6/12/26 11:13 PM, Greg Minshall wrote:
Carson Coder <[email protected]> wrote:
We very much need to find a solution for preventing malicious
packages. My idea is to give each new user a "score", if a user makes
a commit and there score is below some threshold that commit must be
manually reviewed.
i know precious little about AUR work flows. but one issue that maybe
would need to be resolved with any plan suggesting "manual reviews" is
how to distribute the manual review load to not overburden a
(presumably) small, select group of AUR-admins?
cheers, Greg
On each users AUR dashboard and a "Review Queue" that holds the
manual-intervention packages. If a user has an adequate score, (1,2,3?)
year(s) plus with AUR, then the user should be able to Approve/Deny the
commit.
We should have a quick response prefix for threads in aur-general where
a reviewer can request help if they are unsure about PKGBUILD content.
You should add a "rep" for each AUR user. For each review the user
should gain, e.g. +1 for the effort. Any review failure should cost,
e.g. -50 and result in account suspension for X? days.
Something like that can create a pool of talent and provide incentive
(and penalty) for AUR members that participate.
It worked for StackOverflow, something similar could work here. But,
yes, something needs to be done. Enough hand-wringing, let's put some
guardrails in place.
--
David C. Rankin, J.D.,P.E.