Maybe it’s just my lack of understanding, but is there a way to bring more 
clarity to the changes made in the pkgbuild or the AUR package I’m considering 
downloading.

1. There’s some advantage to established community members making updates to 
orphaned packages easily.

2. I may choose to review an unknown contributor’s work with more diligence 
than if it’s the same maintainer that’s owned a package forever or is someone I 
choose to give trust to (right or wrong).

3. Stats and timing of a contributors updates.  New accounts that update a 
package or many packages in a short time could give context that’s something is 
off.  Can we already see the last “10” updates to a package by contributor and 
timing and also see what that user’s last “10” contributions were?  10 or 
whatever number.


This would significantly help me understand I need to dig in more on the 
changes for a package I use.

I’m not a developer, but I do know things like npm installs and bash sh need 
consideration to understand what’s happening.

I can review the build and diffs all day long, but if I don’t know what I’m 
looking for, or something is obfuscated, the contributor and metrics can help 
me raise suspicion.






Sent from Proton Mail for iOS.

-------- Original Message --------
On Sunday, 06/21/26 at 05:05 Ralf Mardorf <[email protected]> wrote:
I support tippfehlr's suggestion:

https://gitlab.archlinux.org/archlinux/aurweb/-/work_items/558

Perhaps we could start with less drastic measures, such as creating a
way to submit a report quickly and easily, so that next time there won’t
be long delays when the first signs of an attack appear, because there
were such signs, and we first had to figure out how and where to address
them.

I know I'm repeating myself, but why not try it this way first:

https://gitlab.archlinux.org/archlinux/aurweb/-/work_items/558

You can't save freedom by over-bureaucratizing it through knee-jerk
reactions!

Reply via email to