The article mentions the potential need for human review. I have no idea how that could be feasible for something as massive as the AUR. Maybe it could work like Nix, where every package goes through a PR/MR process, and then after it gets approved, the submitter is added to the list of contributors. It’s definitely not a perfect process, but it’s better than the zero-review process that the AUR has.
No, the entire point of AUR is to be a repository of unreviewed publicly submitted scripts. Malware has always been an expectation. If you don’t want that risk, don’t use AUR.
I’ve noticed some installers have at least a voting system (e.g. Octopi) which helps… slightly. At least in knowing what the right package name probably is. Crowd source reviewing is probably the only option for such a vast and open system, even if it can be gamed sometimes.
imo, there should be automatic tags like “active”, “abandoned”, “maintainer changed recently”, “updated after hiatus” and a few more.
The arch devs and community can decide on the time frames. It’s not going to be perfect, but it may help warn users of the changes and so they can do a double take.
Anything other than the “active” ones should show what changed (paru already does this) and users should make a conscious choice to install it anyway. (y/N) instead of going through the installation spamming the return key.
It is my speculation based on experience and direct invitations to review stuff that Google effectively does ranked crowd-sourcing for Google Maps, etc., in which Google secretly tracks and gives heftier vote power to veteran accounts with longer histories of competence and reliability (especially, say, accounts that are a decade old and still regularly contributing and proposing corrections), unbeknownst to said account holders themselves. Perhaps their lead could be the way out of such messes.
This is kind of funny, because in the “reviews” part of Google Maps, a “Local Guide” giving a restaurant ⭐⭐⭐⭐⭐ is usually a strong indicator that you shouldn’t eat from there 😉. That has been my experience, at least.
Huh, well, I can tell you that Google classifies me as a local guide just because I try to regularly review places I go to, and I’m always honest with my reviews… I’ve left some scathing ones (not without reason, I hope) here and there as well 🤷🏻♂
The article mentions the potential need for human review. I have no idea how that could be feasible for something as massive as the AUR. Maybe it could work like Nix, where every package goes through a PR/MR process, and then after it gets approved, the submitter is added to the list of contributors. It’s definitely not a perfect process, but it’s better than the zero-review process that the AUR has.
No, the entire point of AUR is to be a repository of unreviewed publicly submitted scripts. Malware has always been an expectation. If you don’t want that risk, don’t use AUR.
I’ve noticed some installers have at least a voting system (e.g. Octopi) which helps… slightly. At least in knowing what the right package name probably is. Crowd source reviewing is probably the only option for such a vast and open system, even if it can be gamed sometimes.
imo, there should be automatic tags like “active”, “abandoned”, “maintainer changed recently”, “updated after hiatus” and a few more.
The arch devs and community can decide on the time frames. It’s not going to be perfect, but it may help warn users of the changes and so they can do a double take.
Anything other than the “active” ones should show what changed (paru already does this) and users should make a conscious choice to install it anyway. (y/N) instead of going through the installation spamming the return key.
There’s a reason why we already called it orphaned. The flag already exists. The AUR helper that auto updates stuff is the problem
AUR does have a voting system, albeit a basic one.
It is my speculation based on experience and direct invitations to review stuff that Google effectively does ranked crowd-sourcing for Google Maps, etc., in which Google secretly tracks and gives heftier vote power to veteran accounts with longer histories of competence and reliability (especially, say, accounts that are a decade old and still regularly contributing and proposing corrections), unbeknownst to said account holders themselves. Perhaps their lead could be the way out of such messes.
This is kind of funny, because in the “reviews” part of Google Maps, a “Local Guide” giving a restaurant ⭐⭐⭐⭐⭐ is usually a strong indicator that you shouldn’t eat from there 😉. That has been my experience, at least.
Huh, well, I can tell you that Google classifies me as a local guide just because I try to regularly review places I go to, and I’m always honest with my reviews… I’ve left some scathing ones (not without reason, I hope) here and there as well 🤷🏻♂