Fire up throw away VM(s) to build AUR package(s) on a schedule (e.g. once a day or once a week)
have it auto-build everything non-interactively
burn the VM after each build, but pull out the built packages
Save the resulting packages in a restricted "To review" folder, only keeping the latest build
At any time, independent from the VM build schedule, the user can decide what they want to review. The diffs that will be presented are against the last approved ref, regardless of whether the package went through several upgrades replacing themselves in the "To review" folder.
The benefit is that when you need to do an update, there is zero build time. Rather than an interactive process of reviewing and then waiting and then reviewing, you just have review once and done. This is effectively making a quarantined local binary repo, where there is a way to review the diffs/artifacts before moving binaries into a trusted local repo. This relies on trusting the VM can't be escaped easily, other security features like rua has implemented, and that the packages you are doing this with are also relatively trustworthy.
I've been finding LXD to be easy and fast to spin up and kill unprivileged arch VMs, along with binding folders into it or pushing/pulling data out. I'm interested to play with this if anyone has ideas to try.
K. I'm ready to be roasted on why this is a bad idea :)
I've been wondering about this possibility:
The benefit is that when you need to do an update, there is zero build time. Rather than an interactive process of reviewing and then waiting and then reviewing, you just have review once and done. This is effectively making a quarantined local binary repo, where there is a way to review the diffs/artifacts before moving binaries into a trusted local repo. This relies on trusting the VM can't be escaped easily, other security features like rua has implemented, and that the packages you are doing this with are also relatively trustworthy.
I've been finding LXD to be easy and fast to spin up and kill unprivileged arch VMs, along with binding folders into it or pushing/pulling data out. I'm interested to play with this if anyone has ideas to try.
K. I'm ready to be roasted on why this is a bad idea :)