On 17/06/2026 14:44, Atte wrote:
I can't say I'm convinced introducing partial human review systems to AUR is the right move. The scope of the repository is huge (100k+ packages, many of which are orphaned and even more are likely outdated, so things that will change ownership once someone cares) and includes very niche things it would be hard to find reviewers for.

The web of trust also scales. It's not like anyone is asking anyone else to maintain or even look at packages that they are not interested in. Admittedly, I don't know the number of maintainers in the AUR, but I do know these 100k+ packages were created by people that once were maintainers, so it is not inconceivable to think that we have enough people to tackle this without any single person becoming overburdened.


Enthusiastic people on forums or IRC are hardly the people who you can count on to actually commit to becoming package maintainers, let alone people you can by default trust with actually verifying whether or not a package is safe. I would expect 90%+ of the people currently up in arms about this and ready to change the world for the better to forget about it in a week or two once they get bored of using LLMs to produce the 100th "PKGBUILD checker AI tool" this week.

It is more about maintaining trust than the quality of packages. Each maintainer maintains the software that they care about, same as today. The difference in having a web of trust is that it becomes impossible to just adopt and create new packages if no one trusts you.


Let me give you a little example:

I have had packages in the AUR for quite a few years, some of which are moderately popular. In addition, I have quite a few AUR packages installed on my system. (~150 packages)

Turns out I had a few packages installed that were orphans, (which I adopted now just to keep them out of the hands of nefarious individuals).

If you contacted me as another trusted maintainer and expressed interest in maintaining a package, I would very easily hand over maintainership if it is a package that would be orphaned otherwise.

However, I would first make sure that you are someone that I trust as I am running the software on my system. <- **This is the only new step.**


Keep in mind that nothing stops you from making a local package for your own system, the AUR is intended for when you want to share your work with a wider audience. So, with a web of trust you would have to gain the trust of other trusted people, making it much more difficult (not impossible, mind you) to do wholesale damage.

So, a new maintainer would in theory ask for permission to add stuff to the AUR, but even if that is approved, that maintainer would not automatically be able to approve other maintainers, for that a higher level of trust needs to be earned, somehow. (votes, number of maintained packages, age of maintained packages, whatever metrics we can pull from the AUR for a user so we don't need to have a human review every tiny step.)


The beauty of this is that it scales nicely, gets people involved, and you can still just ignore it if you want, or are too busy with other things.

I feel like a massive effort to turn AUR into something it isn't (a repository with human reviews maintained by trusted maintainers) is just something that makes it prone to getting a clogged up review queue, becoming inaccessible to new contributors and outdated if people can't "easily" take over packages that have been abandoned, especially with the rules regarding duplicate submissions.

I'm not talking about policing the AUR, or even reviewing the packages. Just making it a bit more of an exclusive club to keep the troublemakers out.


If people want a proper human reviewed PKGBUILD or package repository for things unavailable in extra for one reason or another they should look to create one for that purpose (think RPMFusion) rather than trying to repurpose AUR for that goal. At least that way whatever group of volunteers that wants to take up such a review effort can scale up their repository and work according to their capacity rather than hoping they have the capacity of moderating the entire AUR.

Again, if we focus on who is actually able to add to the AUR, the people who actually use the software in question will ensure that the PKGBUILDS are proper, or at least good enough so that it is usable. The issue with many different repositories is that they are almost undiscoverable, and have even less trust that what is in the AUR.

I myself have discovered some great software in the AUR and have good working relationships with the people that maintain the PKGBUILDS and sometimes the upstream software as well as a result.


At the very least I find the idea of a half human reviewed repository where things are maybe sometimes reviewed based on some heuristics (that a potential attacker can just test their malicious package against before publishing) is just a worthless exercise in trying to build a false sense of security in a repository where people should trust nothing but their ability to review the contents of a package before installing it.

You are right on this point. Ultimately, there are warning signs everywhere saying that the AUR is untrusted, and that you have to review packages before installing.

In fact, this is where I think the whole issue is a lot more overblown than it needed to be.

Orphan packages are by definition packages that almost no one uses, and so the attack did not go as far as the attacker had hoped.

The same thing with new packages and new maintainers, as those packages are also not likely to be requirements or installed on many computers.


I do wish my AUR helper would have made a little more noise about the orphaned packages that I was using though. But, I have to accept blame for the warnings that it did produce that I ignored. <- Lesson learned.

In conclusion, I think the AUR is working as intended, and only tiny tweaks are needed to avoid repeats of this sort of thing, rather than a huge redesign with stupid amounts of review and oversight.

Best regards,

Evert

Reply via email to