On Tue, 9 Nov 2021 at 11:11, Kevin Morris via aur-general <aur-general@lists.archlinux.org> wrote:
I'd be up for programmatically making it impossible for any user (user or TU) to accept their own requests.
However, that does bring some complications into play in regards to deleting packages.
Currently, on the /packages search page (for a TU), it is possible to delete packages without a request. In the new FastAPI implementation of aurweb, we have countered this accountability issue by auto-generating requests for the action performed. That being said, removing the ability for TUs to accept their own requests would also mean that TUs would not really be allowed to blanket delete packages on their own without a request; furthermore, they couldn't create a request themselves and go through the path.
So... the behavior would have to be changes to only allow blanket deletions on packages which already have a request from _another_ user.
This decision is really up to the Trusted User community of the AUR; not its developers. Some return feedback on this topic would be greatly appreciated. It would, without a doubt, remove some of Trusted User's freedoms. But it would also force sort of community-shared accountability, which may be a good thing.
What do you all think?
Deleting obvious spam packages shouldn't require two people. Furthermore, I don't think requiring a unverified member of the public + a TU is much of a higher bar, aside from making spam removal more difficult.