Nathan Owens wrote:
I know what you mean. Well I would THINK that maybe it could be determined how long the user has been active though their activity of the packages and look at the quality of the packages the user has adopted/created and maybe, assuming there is a system that would monitor the out-of-date packages, if the member maintains the packages by updating them in a decent amount of time. Possibility something similar to this as to determine a regular user is trusted.
The only official distinction that we have is between TUs and non-TUs. I would support the inclusion of that data in the results from the AUR's RPC interface so that it could be more readily used by AUR helpers, but that's about it. Beyond that it is up to the users to decide whom they trust. Any system that attempts to determine a level of trust by a fixed set of metrics such as update intervals could be easily gamed, maybe even automatically with a bot. Of course, trust could be gained from regular users by a malicious maintainer via the same methods, so nothing in the AUR is ever really safe. The same could be said of TUs and [community] considering that we do not sign off packages before pushing them to the repo. It might be a bit harder to game the TU vote, but I see a vague pattern that determines acceptance that shouldn't be too hard to follow, although it would require time and wouldn't be automatable. The point is that trust is a relative term and best determined by the end user. Attempting to formalize it would likely give a false sense of security and expose casual users to greater risks.