On 17/06/2026 12:43, Sam K wrote:
A new AUR maintainer could ask on the mailing list for some people to vouch for 
them, and provide an email address for correspondence.
Once a certain number of existing AUR maintainers have vouched for the new 
user, they get write access, or maybe they get write access straight away and 
their packages are just hidden until the community has gained enough trust in 
that maintainer to un-hide the packages for general consumption.
I see one issue here. Couldn't bot accounts vouch for each other? You
could have a chain of vouching that wouldn't involve human maintainers
at all. I think trust must be earned, not given.

True, but this pattern would also be very easy to spot.

Humans just do things a lot slower than a bot. The first bot would also have trouble getting accepted as a maintainer.


Remember, we are aiming for an improvement in security that does not take too much effort, not 100% secure that would be a massive pain in the neck to maintain.


Sam

--
Kind regards
Evert Vorster

Reply via email to