In the recent Arch News post, the following was said: […] please reach out to Arch staff via the aur-general mailing list with more information.
This is a weird one for me personally. Sure, email probably prevents some spam, and the target userbase is Linux users, so I bet there’s more experienced people, but I really don’t like mailing lists. For something like reporting malicious content, especially for the AUR, where content can be freely submitted by most people, I wish packages just had some form of a “Report as Malicious” button. Trying to send this email, my first one to any of the Arch lists, it took me at least 20 minutes to figure out how. I had to find the link to the mailing list website, I tried the anon subscription, I sent the confirmation email, nothing happened. Tried sending this and got rejected. Then, I tried again. Created an account, got the confirmation email, clicked it, it errored. Refreshed, finally got confirmed. Then it told me that I “have a subscription request pending”. Meaning I have to wait, possibly multiple days, potentially for quite a long while, to even report a package. At this point, I feel like 90% of users would have given up trying to report the malicious content. Which is a big issue - time is key when it comes to fighting bad actors. So yeah, again, I wish packages just had some form of a “Report as Malicious” button. This could either go to an internal list or, if it’s easier to implement, keeping the workflow of moderators, just have it send an automated email from some [email protected] or whatever to the existing mailing list. This might require a captcha (like is required for SSO account creation), maybe sign-in, or both, but I do really think a (practically) one-click reporting solution would benefit everyone. People not as familiar or not wanting to interact with mailing lists can report packages, and moderators get quicker reports about malicious packages solely because there’s a greater user base that can report. While I do think the lower barrier of entry also causes some issues, like spam, something like a rate limit and/or verification (such as through login or similar means) should lower this, especially given people could, if malicious, also just spam the mailing list somewhat easily.
