On 17/06/2026 14:44, Atte wrote:
I can't say I'm convinced introducing partial human review systems to
AUR is the right move. The scope of the repository is huge (100k+
packages, many of which are orphaned and even more are likely
outdated, so things that will change ownership once someone cares) and
includes very niche things it would be hard to find reviewers for.
The web of trust also scales. It's not like anyone is asking anyone else
to maintain or even look at packages that they are not interested in.
Admittedly, I don't know the number of maintainers in the AUR, but I do
know these 100k+ packages were created by people that once were
maintainers, so it is not inconceivable to think that we have enough
people to tackle this without any single person becoming overburdened.
Enthusiastic people on forums or IRC are hardly the people who you can
count on to actually commit to becoming package maintainers, let alone
people you can by default trust with actually verifying whether or not
a package is safe. I would expect 90%+ of the people currently up in
arms about this and ready to change the world for the better to forget
about it in a week or two once they get bored of using LLMs to produce
the 100th "PKGBUILD checker AI tool" this week.
It is more about maintaining trust than the quality of packages. Each
maintainer maintains the software that they care about, same as today.
The difference in having a web of trust is that it becomes impossible to
just adopt and create new packages if no one trusts you.
Let me give you a little example:
I have had packages in the AUR for quite a few years, some of which are
moderately popular. In addition, I have quite a few AUR packages
installed on my system. (~150 packages)
Turns out I had a few packages installed that were orphans, (which I
adopted now just to keep them out of the hands of nefarious individuals).
If you contacted me as another trusted maintainer and expressed interest
in maintaining a package, I would very easily hand over maintainership
if it is a package that would be orphaned otherwise.
However, I would first make sure that you are someone that I trust as I
am running the software on my system. <- **This is the only new step.**
Keep in mind that nothing stops you from making a local package for your
own system, the AUR is intended for when you want to share your work
with a wider audience. So, with a web of trust you would have to gain
the trust of other trusted people, making it much more difficult (not
impossible, mind you) to do wholesale damage.
So, a new maintainer would in theory ask for permission to add stuff to
the AUR, but even if that is approved, that maintainer would not
automatically be able to approve other maintainers, for that a higher
level of trust needs to be earned, somehow. (votes, number of maintained
packages, age of maintained packages, whatever metrics we can pull from
the AUR for a user so we don't need to have a human review every tiny step.)
The beauty of this is that it scales nicely, gets people involved, and
you can still just ignore it if you want, or are too busy with other
things.
I feel like a massive effort to turn AUR into something it isn't (a
repository with human reviews maintained by trusted maintainers) is
just something that makes it prone to getting a clogged up review
queue, becoming inaccessible to new contributors and outdated if
people can't "easily" take over packages that have been abandoned,
especially with the rules regarding duplicate submissions.
I'm not talking about policing the AUR, or even reviewing the packages.
Just making it a bit more of an exclusive club to keep the troublemakers
out.
If people want a proper human reviewed PKGBUILD or package repository
for things unavailable in extra for one reason or another they should
look to create one for that purpose (think RPMFusion) rather than
trying to repurpose AUR for that goal. At least that way whatever
group of volunteers that wants to take up such a review effort can
scale up their repository and work according to their capacity rather
than hoping they have the capacity of moderating the entire AUR.
Again, if we focus on who is actually able to add to the AUR, the people
who actually use the software in question will ensure that the PKGBUILDS
are proper, or at least good enough so that it is usable. The issue with
many different repositories is that they are almost undiscoverable, and
have even less trust that what is in the AUR.
I myself have discovered some great software in the AUR and have good
working relationships with the people that maintain the PKGBUILDS and
sometimes the upstream software as well as a result.
At the very least I find the idea of a half human reviewed repository
where things are maybe sometimes reviewed based on some heuristics
(that a potential attacker can just test their malicious package
against before publishing) is just a worthless exercise in trying to
build a false sense of security in a repository where people should
trust nothing but their ability to review the contents of a package
before installing it.
You are right on this point. Ultimately, there are warning signs
everywhere saying that the AUR is untrusted, and that you have to review
packages before installing.
In fact, this is where I think the whole issue is a lot more overblown
than it needed to be.
Orphan packages are by definition packages that almost no one uses, and
so the attack did not go as far as the attacker had hoped.
The same thing with new packages and new maintainers, as those packages
are also not likely to be requirements or installed on many computers.
I do wish my AUR helper would have made a little more noise about the
orphaned packages that I was using though. But, I have to accept blame
for the warnings that it did produce that I ignored. <- Lesson learned.
In conclusion, I think the AUR is working as intended, and only tiny
tweaks are needed to avoid repeats of this sort of thing, rather than a
huge redesign with stupid amounts of review and oversight.
Best regards,
Evert