Hi all, I'd like feedback on adding optional Sigstore/Rekor publishing to aurweb before I work on a patch. I'd like to do this to support robust dependency cooldowns in AUR helpers. The problem: aurweb has no trustworthy history of when a package was pushed. PackageBases.ModifiedTS (LastModified in API) is the only trusted value. Dependency cooldowns (as recently adopted by npm/crates.io) let clients have a waiting period before installing a package. Now that yay/paru both support hooks, doing this is quite trivial on the client side except for one problem: A client doesn't know what is a "1-day old" commit that clears the cooldown. Relying on commit timestamps obviously doesn't work since those are client-side. Proposal: on each accepted push, submit a small signed attestation to Rekor. Rekor returns an inclusion proof and a trusted timestamp. It's append-only by construction, verifiable without trusting the AUR, and cheap for us — Rekor holds the log, the hook in update.py is small and can be feature-flagged off. Clients should be able to search Rekor for discovering the commit as per their policy. Alternative: a GitHub-style events API (https://api.github.com/repos/archlinux/aurweb/events). We save each commit and the corresponding timestamp, but this feels like more work for little gain. I lean toward Rekor, but I'd welcome opinions on the external dependency and whether a hybrid makes sense. Happy to prototype the update.py hook if there's interest. I don't know yet what form the attestation will take, but opinions/prior-art welcome. - Nemo