On the question of who sponsors the work and effort...


While we are discussing strategies, it is important to set goals.

If the goal is to 100% secure the AUR, it is going to take 100% effort. But according to the old 80/20 rule, we can achieve 80% security with 20% effort.


In my opinion, we should aim to close the door these attackers got through, without over-engineering things. That would be the least effort for the most gain.

I _still_ think a registry of allowed users is the best way forward to achieve this.


How to _get_ registered seems to be the tricky bit, especially when considering anonymity concerns, but there may just be a way forward:

A new AUR maintainer could ask on the mailing list for some people to vouch for them, and provide an email address for correspondence.

Once a certain number of existing AUR maintainers have vouched for the new user, they get write access, or maybe they get write access straight away and their packages are just hidden until the community has gained enough trust in that maintainer to un-hide the packages for general consumption.


**This approach would farm out the effort to become a maintainer to the other existing maintainers, while providing anonymity still.**

There could even be a little bit of a dashboard in the AUR web interface where new maintainers can request access and be voted on.


Could this be subverted?  Sure.

But, it would stop an llm registering hundreds or thousands of new maintainers and then using them for nefarious purposes.

This should reduce the attack surface dramatically, and limit the blast radius if a maintainer waits for a period before poisoning the pool.


How to kick it off? Maybe the trusted pool can be populated with current maintainers that maintain packages that have a certain number of votes, or have been maintaining packages for a certain amount of time, or whatever metric or combination of metrics we choose that would inspire trust.


Just some ideas to get the creative juices flowing...

:)

Reply via email to