Comment by BurningCycles
8 years ago
They are built by the core Arch developers, or as in the case of the 'community' repo, by 'Trusted Users', the latter being people who have done high quality maintaining of packages in the AUR and shown good community involvement.
Having met these criterias, they need to be sponsored by an existing TU, and then it will be put up to a vote.
Do you know if there is any kind of review process? For example, let’s say a core maintainer’s machine is compromised and the attacker submits a new package on their behalf. Does anyone else need to review and sign off on the new package?
Thank you!