[aur-general] "Report malicious package" feature

[hollunder at gmx.at]

On Fri, 26 Jun 2009 08:41:49 -0400
Daenyth Blank <daenyth+arch at gmail.com> wrote:

> On Thu, Jun 25, 2009 at 23:05, Xyne<xyne at archlinux.ca> wrote:
> >> Principally you are right, but pressing a button "report malicious
> >> package" could or should send an e-mail to this mailing list or to
> >> every TU automatically. This would be the easiest way for the
> >> users.
> >
> > That could lead to spam. A better system would be similar to the
> > out-of-date system that we currently have, with some changes. You
> > press the "report malicious package" button, submit a reason, and
> > then a messages gets automatically posted to the list. At the same
> > time, it also displays on the AUR page and flagged packages can be
> > filtered in the search the same way out-of-date packages can. The
> > reporter would also be mentioned in the list (to prevent people
> > from anonymously flagging packages without reason).
> >
> >
> I'm not sure if I'll be agreed with here, but I think the whole idea
> of this feature is not needed. The AUR has been up for how many years,
> and I haven't even *heard* of a malicious package. I don't think we
> should add features (and spend effort coding, and make the interface
> *more* cluttered) unless there is a need for the feature.

Well, I found a possible malicious package but didn't investigate
further, simple requested deletion/orphanage and re-did it if I remember
correctly.

The issue there was that the source was downloaded not from the
official page but somewhere else and at least re-compressed with a
different method. At least compressed it was bigger than the original
source but I didn't compare the content.

No idea if it really was an attempt at doing something bad or simply
something else, but it was suspicious at least.

Now you've heard of such a thing ;)