Identify community members that usually update specific packages.

[denelon]

I like the idea of having designated community members that usually update specific packages. Some people here know a lot about how certain apps install (Visual Studio and Python are two example off the top of my head) and it would be nice to have that written down somewhere. Not to pin responsibility on anyone, of course (anyone can open a PR for anything they want presuming the ISV hasn't claimed the ID), but having a designated .package or .maintainer file that says "@jedieaston knows about this, mention them in issues" wouldn't be a bad idea.

Chocolatey has something similar, see the "Package Maintainers" section to the left of this page.

Originally posted by @jedieaston in #29258 (comment)

[denelon]

I'm not sure how we would go about this, but it is interesting. Maybe we could mention previous authors for manifests/packages when a PR is created.

[Trenly]

I love this idea. I also think it would be great to include it for some of the other files in the repository such as the files in /Tools or even the pipeline definitions.

I think mentions would be good, but this could also be used for package-level moderation, where if a user is a maintainer of a package, they are able to approve requests for that package only.

[kdpuvvadi]

And something like bot Mentioning of mod if someone opens an issue regarding that package?

[lychichem]

Agree as tencent.wechat always have issues when autoupdate was performed and need someone to investigate. I and other maintainers will be glad to see this change.

[Trenly]

Agree as tencent.wechat always have issues when autoupdate was performed and need someone to investigate. I and other maintainers will be glad to see this change.

This could also be used as an indicator to the bot to skip auto-updating of these files and instead only create issues, especially for packages like Calibre where we know there are issues with automatic updates.

[Biztactix-Ryan]

I think new people should be flagged for manual review, with existing people having less scrutiny,
I see the fact that anyone can issue a PR to be quite a security issue, especially if this starts getting the use that the community wants.
There are numerous was to subvert an installer URL that looks plausible on a cursory glance. Having any new contributor require greater scrutiny would be 1 step to providing some security

[Trenly]

I think new people should be flagged for manual review, with existing people having less scrutiny,
I see the fact that anyone can issue a PR to be quite a security issue, especially if this starts getting the use that the community wants.
There are numerous was to subvert an installer URL that looks plausible on a cursory glance. Having any new contributor require greater scrutiny would be 1 step to providing some security

All urls are scanned with multiple antivirus providers, and every package hash is also validated. On top of that, every PR has to be approved by one of the community moderators after they test the package on one (or more) virtual machines to ensure that the package is exactly what the submitter is claiming it to be. So the actual risk of a malicious application making it into the repository is actually very low