On 6/17/26 11:48 AM, Evert Vorster wrote:
On 17/06/2026 12:43, Sam K wrote:
A new AUR maintainer could ask on the mailing list for some people
to vouch for them, and provide an email address for correspondence.
Once a certain number of existing AUR maintainers have vouched for
the new user, they get write access, or maybe they get write access
straight away and their packages are just hidden until the community
has gained enough trust in that maintainer to un-hide the packages
for general consumption.
I see one issue here. Couldn't bot accounts vouch for each other? You
could have a chain of vouching that wouldn't involve human maintainers
at all. I think trust must be earned, not given.
True, but this pattern would also be very easy to spot.
Humans just do things a lot slower than a bot. The first bot would
also have trouble getting accepted as a maintainer.
Remember, we are aiming for an improvement in security that does not
take too much effort, not 100% secure that would be a massive pain in
the neck to maintain.
Sam
Hello list users.
I've followed a bit on this thread, and I completely disagree with
anything that utilizes an LLM, It's simply too much computing power for
something that is far non-deterministic; A local ML model might be a
good advisor, still not a proper solution. also goodwill of maintainers.
I believe the debate has been about balancing the anonymity and the
overall effort vs perfect security, I think a vouching system isn't the
most proper form of handling it, while it might serve the people that
are most dedicated, it might limit the newbies and just open more doors
for harassing already established maintainers to make them "vouch" for
people, So i see that every maintainer needs an account that is at least
6 months old -/varies-/ before they have any writing access with the
ability of bypassing that 6 months window, if they are about to create a
completely new package that should be limited to only "technical users"
status, which anybody should be able to acquire.
As for normal users, they are only limited to the public and well-known
packages; that are limited to well-known maintainers where a reputation
system of some sort (sort of like old forums; stackoverflow?) might serve.
With perhaps some typical rate-limiting, device fingerprinting where
acceptable to keep track of massive amount of accounts made from some
place.