They are built by the core Arch developers, or as in the case of the 'community' repo, by 'Trusted Users', the latter being people who have done high quality maintaining of packages in the AUR and shown good community involvement.
Having met these criterias, they need to be sponsored by an existing TU, and then it will be put up to a vote.
Do you know if there is any kind of review process? For example, let’s say a core maintainer’s machine is compromised and the attacker submits a new package on their behalf. Does anyone else need to review and sign off on the new package?
Depends on what you deem "vetted". Builds from source from a trusted source. Try ask if they can PGP sign their sources. Builds fine. Pushed to the repos. If its an package from core or extra it goes through testing for a few days.
Also been a push towards reproducible builds, and the stones have been laid with pacman 5.1.
They are built by the core Arch developers, or as in the case of the 'community' repo, by 'Trusted Users', the latter being people who have done high quality maintaining of packages in the AUR and shown good community involvement.
Having met these criterias, they need to be sponsored by an existing TU, and then it will be put up to a vote.
Do you know if there is any kind of review process? For example, let’s say a core maintainer’s machine is compromised and the attacker submits a new package on their behalf. Does anyone else need to review and sign off on the new package?
Thank you!
Depends on what you deem "vetted". Builds from source from a trusted source. Try ask if they can PGP sign their sources. Builds fine. Pushed to the repos. If its an package from core or extra it goes through testing for a few days.
Also been a push towards reproducible builds, and the stones have been laid with pacman 5.1.