Maybe it’s just my lack of understanding, but is there a way to bring more clarity to the changes made in the pkgbuild or the AUR package I’m considering downloading.
1. There’s some advantage to established community members making updates to orphaned packages easily. 2. I may choose to review an unknown contributor’s work with more diligence than if it’s the same maintainer that’s owned a package forever or is someone I choose to give trust to (right or wrong). 3. Stats and timing of a contributors updates. New accounts that update a package or many packages in a short time could give context that’s something is off. Can we already see the last “10” updates to a package by contributor and timing and also see what that user’s last “10” contributions were? 10 or whatever number. This would significantly help me understand I need to dig in more on the changes for a package I use. I’m not a developer, but I do know things like npm installs and bash sh need consideration to understand what’s happening. I can review the build and diffs all day long, but if I don’t know what I’m looking for, or something is obfuscated, the contributor and metrics can help me raise suspicion. Sent from Proton Mail for iOS. -------- Original Message -------- On Sunday, 06/21/26 at 05:05 Ralf Mardorf <[email protected]> wrote: I support tippfehlr's suggestion: https://gitlab.archlinux.org/archlinux/aurweb/-/work_items/558 Perhaps we could start with less drastic measures, such as creating a way to submit a report quickly and easily, so that next time there won’t be long delays when the first signs of an attack appear, because there were such signs, and we first had to figure out how and where to address them. I know I'm repeating myself, but why not try it this way first: https://gitlab.archlinux.org/archlinux/aurweb/-/work_items/558 You can't save freedom by over-bureaucratizing it through knee-jerk reactions!
