On the question of who sponsors the work and effort...
While we are discussing strategies, it is important to set goals.
If the goal is to 100% secure the AUR, it is going to take 100% effort.
But according to the old 80/20 rule, we can achieve 80% security with
20% effort.
In my opinion, we should aim to close the door these attackers got
through, without over-engineering things. That would be the least effort
for the most gain.
I _still_ think a registry of allowed users is the best way forward to
achieve this.
How to _get_ registered seems to be the tricky bit, especially when
considering anonymity concerns, but there may just be a way forward:
A new AUR maintainer could ask on the mailing list for some people to
vouch for them, and provide an email address for correspondence.
Once a certain number of existing AUR maintainers have vouched for the
new user, they get write access, or maybe they get write access straight
away and their packages are just hidden until the community has gained
enough trust in that maintainer to un-hide the packages for general
consumption.
**This approach would farm out the effort to become a maintainer to the
other existing maintainers, while providing anonymity still.**
There could even be a little bit of a dashboard in the AUR web interface
where new maintainers can request access and be voted on.
Could this be subverted? Sure.
But, it would stop an llm registering hundreds or thousands of new
maintainers and then using them for nefarious purposes.
This should reduce the attack surface dramatically, and limit the blast
radius if a maintainer waits for a period before poisoning the pool.
How to kick it off? Maybe the trusted pool can be populated with current
maintainers that maintain packages that have a certain number of votes,
or have been maintaining packages for a certain amount of time, or
whatever metric or combination of metrics we choose that would inspire
trust.
Just some ideas to get the creative juices flowing...
:)