On 6/17/26 11:48 AM, Evert Vorster wrote:

On 17/06/2026 12:43, Sam K wrote:
A new AUR maintainer could ask on the mailing list for some people to vouch for them, and provide an email address for correspondence. Once a certain number of existing AUR maintainers have vouched for the new user, they get write access, or maybe they get write access straight away and their packages are just hidden until the community has gained enough trust in that maintainer to un-hide the packages for general consumption.
I see one issue here. Couldn't bot accounts vouch for each other? You
could have a chain of vouching that wouldn't involve human maintainers
at all. I think trust must be earned, not given.

True, but this pattern would also be very easy to spot.

Humans just do things a lot slower than a bot. The first bot would also have trouble getting accepted as a maintainer.


Remember, we are aiming for an improvement in security that does not take too much effort, not 100% secure that would be a massive pain in the neck to maintain.


Sam
Hello list users.

I've followed a bit on this thread, and I completely disagree with anything that utilizes an LLM, It's simply too much computing power for something that is far non-deterministic; A local ML model might be a good advisor, still not a proper solution. also goodwill of maintainers.

I believe the debate has been about balancing the anonymity and the overall effort vs perfect security, I think a vouching system isn't the most proper form of handling it, while it might serve the people that are most dedicated, it might limit the newbies and just open more doors for harassing already established maintainers to make them "vouch" for people, So i see that every maintainer needs an account that is at least 6 months old -/varies-/ before they have any writing access with the ability of bypassing that 6 months window, if they are about to create a completely new package that should be limited to only "technical users" status, which anybody should be able to acquire. As for normal users, they are only limited to the public and well-known packages; that are limited to well-known maintainers where a reputation system of some sort (sort of like old forums; stackoverflow?) might serve.

With perhaps some typical rate-limiting, device fingerprinting where acceptable to keep track of massive amount of accounts made from some place.

Reply via email to