Has anyone from the AUR team (such as that is) published a retrospective yet? This was some impressively fast firefighting but in all honesty, it seems like some changes are needed, either in AUR policies or in the wrappers.
I should be able to set a minimum package age just like I can with pnpm.
Orphaned packages should not be adoptable by just anyone. Maybe there should even be a global rate limit on this as a sign of attack.
Someone or something should vuln-scan these packages as they're published, as a number of companies do for NPM now. That would likely have found these pretty quickly.
Most of these are not changes to be made by the AUR maintainers, but rather by packaging helpers and 3rd parties.
> I should be able to set a minimum package age just like I can with pnpm.
I recently worked up a patch [1] for pakku [2], after being inspired by pnpm.
[1] https://github.com/gavinhungry/patches/blob/main/pakku/pakku...
[2] https://github.com/zqqw/pakku
There is no official tool to download aur repos, so that’s up to whatever you do.