Hi all,
Following recent supply chain incidents involving the AUR, I’d like to
open a discussion regarding the current "open" submission model.
To better defend against supply chain attacks and reduce the maintenance
burden caused by low-quality submissions, I am proposing a transition to
a batch-based submission system. Instead of the current continuous
influx, we could implement a scheduled intake:
*Submission Windows:* New packages are submitted throughout the month
but held in a pending state.
*Designated Review Cycles:* Verification occurs on a fixed schedule
(e.g., the first Sunday of each month).
*Quality Filtering:* Packages are audited for security and adherence to
AUR standards. Non-compliant packages are rejected with feedback,
allowing maintainers to iterate and resubmit during the next window.
The goal is to create a mandatory "cool-down" and verification period
that makes it significantly harder for malicious code to be distributed.
While this would be a significant shift in workflow, it seems like a
necessary step to address the current security landscape.
I am interested in hearing perspectives from the TUs and current
maintainers on the feasibility of this approach and whether it aligns
with our current infrastructure capabilities.
Best regards,
Amal Krishna
