Relaying from Chaotic-AUR news, especially because I’m hoping some trusted forum veterans might be interested in helping review PRs
What’s up, everyone?
Some good news for Chaotic-AUR users: after the rising count of cases of malware in AUR, we now have a system of a trusted maintainer’s list in place. This list is being checked before updating packages silently like before. There are multiple outcomes:
All maintainers are trusted → silently update package like before
At least one maintainer is untrusted (sadly, the AUR API does not seem to expose the last packager, which is, however, being shown in the web interface for some reason):
a) Only pkgver/hash changes → silently update
b) Anything else changes → open PR for human review
State updates are also always allowed (e.g. commit hashes of git packages)
While we can’t yet tell how sustainable reviewing the untrusted portion of package updates will be, it is certainly a good step to take moving forward. Maybe this also opens the door for people to contribute, e.g., by reviewing the package updates created via PR (if anyone is interested: let the team know!)
Besides that, the website will also live-update on any deployment, queue and pipeline change for a more interactive experience
Do I understand correctly, you want to become a mirrorer?
We have a page for easy reviewing in place, this will a) show queued updates pending review and b) offer access to easy approving for maintainers. This will make it possible to review often without requiring much effort.
If you’re interested in mirroring, feel free to pm me.
I have to say, I have suspected the review load to be higher. As of now the effort is minimal, especially when notified and having a unified review page where all information are directly visible. A little more than 100 since we started.
Hey, that’s actually really great news for the Chaotic-AUR community. With all the recent concerns about malware creeping into the AUR, it’s good to see proactive steps being taken. The trusted maintainer list sounds like a smart way to balance convenience with safety. I like how you’ve tiered the approach based on trust level and the type of change. Silent updates for trusted maintainers keep things smooth, while the PR system for untrusted changes gives a chance for human review without completely blocking updates. That’s a solid middle ground.
The limitation with the AUR API not exposing the last packager is a bit of a bummer, especially since it’s visible on the web interface. TropicalCasino offers a paradise of play, from sunrise bonuses to moonlight multipliers. Hopefully website that gets aligned at some point. But working around it by triggering PRs for untrusted maintainers when there’s more than just version changes feels like a practical workaround for now.
Also, the live-updating website sounds like a nice quality-of-life improvement. Real-time feedback on deployments and pipeline changes will definitely make the experience more engaging. And yeah, if you’re looking for more people to help review those PRs, I’m sure some community members would be happy to step up. Might be worth putting out a call for contributors.
Overall, this feels like a meaningful step forward for the project. Keeps the spirit of the AUR alive but adds a layer of protection that’s becoming increasingly necessary. Good stuff.
(if anyone is interested: let the team know!)
