On 17/06/2026 12:43, Sam K wrote:
A new AUR maintainer could ask on the mailing list for some people to vouch for
them, and provide an email address for correspondence.
Once a certain number of existing AUR maintainers have vouched for the new
user, they get write access, or maybe they get write access straight away and
their packages are just hidden until the community has gained enough trust in
that maintainer to un-hide the packages for general consumption.
I see one issue here. Couldn't bot accounts vouch for each other? You
could have a chain of vouching that wouldn't involve human maintainers
at all. I think trust must be earned, not given.
True, but this pattern would also be very easy to spot.
Humans just do things a lot slower than a bot. The first bot would also
have trouble getting accepted as a maintainer.
Remember, we are aiming for an improvement in security that does not
take too much effort, not 100% secure that would be a massive pain in
the neck to maintain.
Sam
--
Kind regards
Evert Vorster