On Fri, 26 Jun 2009 08:41:49 -0400 Daenyth Blank <daenyth+arch@gmail.com> wrote:
On Thu, Jun 25, 2009 at 23:05, Xyne<xyne@archlinux.ca> wrote:
Principally you are right, but pressing a button "report malicious package" could or should send an e-mail to this mailing list or to every TU automatically. This would be the easiest way for the users.
That could lead to spam. A better system would be similar to the out-of-date system that we currently have, with some changes. You press the "report malicious package" button, submit a reason, and then a messages gets automatically posted to the list. At the same time, it also displays on the AUR page and flagged packages can be filtered in the search the same way out-of-date packages can. The reporter would also be mentioned in the list (to prevent people from anonymously flagging packages without reason).
I'm not sure if I'll be agreed with here, but I think the whole idea of this feature is not needed. The AUR has been up for how many years, and I haven't even *heard* of a malicious package. I don't think we should add features (and spend effort coding, and make the interface *more* cluttered) unless there is a need for the feature.
Well, I found a possible malicious package but didn't investigate further, simple requested deletion/orphanage and re-did it if I remember correctly. The issue there was that the source was downloaded not from the official page but somewhere else and at least re-compressed with a different method. At least compressed it was bigger than the original source but I didn't compare the content. No idea if it really was an attempt at doing something bad or simply something else, but it was suspicious at least. Now you've heard of such a thing ;)