Chaotic-AUR now has a trusted maintainers system

Relaying from Chaotic-AUR news, especially because I’m hoping some trusted forum veterans might be interested in helping review PRs

What’s up, everyone?

Some good news for Chaotic-AUR users: after the rising count of cases of malware in AUR, we now have a system of a trusted maintainer’s list in place. This list is being checked before updating packages silently like before. There are multiple outcomes:

1. All maintainers are trusted → silently update package like before
2. At least one maintainer is untrusted (sadly, the AUR API does not seem to expose the last packager, which is, however, being shown in the web interface for some reason):
   a) Only pkgver/hash changes → silently update
   b) Anything else changes → open PR for human review
3. State updates are also always allowed (e.g. commit hashes of git packages)

While we can’t yet tell how sustainable reviewing the untrusted portion of package updates will be, it is certainly a good step to take moving forward. Maybe this also opens the door for people to contribute, e.g., by reviewing the package updates created via PR (if anyone is interested: let the team know!)

Besides that, the website will also live-update on any deployment, queue and pipeline change for a more interactive experience

If there is a feature that you’re lacking in the API of aurweb (Arch Linux / aurweb · GitLab) or the RPC (GitHub - moson-mo/goaurrpc: An implementation of the aurweb (v6) - /rpc - REST API service in go) interface this is something that can most likely be added or would be a welcome contribution from your side (or the community), just get in contact with the maintainers in #archlinux-aurweb or #archlinux-projects.

Always have to be bad actors in the mix. Thanks for the update. Just had to reinstall Garuda.

Hey gromit, thanks for chiming in! I will get in touch, as this would definitely be a very helpful thing to have.

Thanks for the update, that is a very positive change!