[aur-general] Breaking the unspoken rule: AUR helper in [community]

Xyne xyne at archlinux.ca
Thu Dec 30 04:11:23 EST 2010

Nathan Owens wrote:

> I know what you mean. Well I would THINK that maybe it could be 
> determined how long the user has been active though their activity of 
> the packages and look at the quality of the packages the user has 
> adopted/created and maybe, assuming there is a system that would monitor 
> the out-of-date packages, if the member maintains the packages by 
> updating them in a decent amount of time. Possibility something similar 
> to this as to determine a regular user is trusted.

The only official distinction that we have is between TUs and non-TUs. I would
support the inclusion of that data in the results from the AUR's RPC interface
so that it could be more readily used by AUR helpers, but that's about it.
Beyond that it is up to the users to decide whom they trust. Any system that
attempts to determine a level of trust by a  fixed set of metrics such as
update intervals could be easily gamed, maybe even automatically with a bot.

Of course, trust could be gained from regular users by a malicious maintainer
via the same methods, so nothing in the AUR is ever really safe. The same could
be said of TUs and [community] considering that we do not sign off packages
before pushing them to the repo. It might be a bit harder to game the TU vote,
but I see a vague pattern that determines acceptance that shouldn't be too hard
to follow, although it would require time and wouldn't be automatable.

The point is that trust is a relative term and best determined by the end user.
Attempting to formalize it would likely give a false sense of security and
expose casual users to greater risks.

More information about the aur-general mailing list