• CubitOom@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    16 days ago

    We arnt talking about a distro maintainer, but an aur package maintainer, which can be anyone.

    • bitfucker@programming.dev
      link
      fedilink
      arrow-up
      0
      ·
      16 days ago

      Yes, and that is no different than distro maintainer that maintains the infrastructure and package. Anyone can volunteer. That’s how xz is compromised. The point is that aurto trust models mimic those of other package managers. Trusting the authors implicitly trust the code. The only other special things from distro maintainer is their PGP signatures are required to perform release on the main repo. This is better because as I stated earlier, reviewing PKGBUILDS would encourage people to just skip it. Not everyone has the time for that. But when a maintainer changes? Aurto removes the package for you to perform that first trust again on the new maintainer. This is no different than if you update the arch keyring just more manual

      • CubitOom@infosec.pub
        link
        fedilink
        English
        arrow-up
        0
        ·
        16 days ago

        No, an aur maintainer is not the same a distro maintainer.

        But I do agree it would be good to atleast stop and evaluate when the maintainer changes or a package looses the maintainer at a minimum.