Relaying from Chaotic-AUR news, especially because I’m hoping some trusted forum veterans might be interested in helping review PRs
What’s up, everyone?
Some good news for Chaotic-AUR users: after the rising count of cases of malware in AUR, we now have a system of a trusted maintainer’s list in place. This list is being checked before updating packages silently like before. There are multiple outcomes:
All maintainers are trusted → silently update package like before
At least one maintainer is untrusted (sadly, the AUR API does not seem to expose the last packager, which is, however, being shown in the web interface for some reason):
a) Only pkgver/hash changes → silently update
b) Anything else changes → open PR for human review
State updates are also always allowed (e.g. commit hashes of git packages)
While we can’t yet tell how sustainable reviewing the untrusted portion of package updates will be, it is certainly a good step to take moving forward. Maybe this also opens the door for people to contribute, e.g., by reviewing the package updates created via PR (if anyone is interested: let the team know!)
Besides that, the website will also live-update on any deployment, queue and pipeline change for a more interactive experience
Do I understand correctly, you want to become a mirrorer?
We have a page for easy reviewing in place, this will a) show queued updates pending review and b) offer access to easy approving for maintainers. This will make it possible to review often without requiring much effort.
If you’re interested in mirroring, feel free to pm me.
I have to say, I have suspected the review load to be higher. As of now the effort is minimal, especially when notified and having a unified review page where all information are directly visible. A little more than 100 since we started.
(if anyone is interested: let the team know!)
