diff --git a/aurweb/routers/packages.py b/aurweb/routers/packages.py
index ee6d71ba..8790327f 100644
--- a/aurweb/routers/packages.py
+++ b/aurweb/routers/packages.py
@@ -701,3 +701,35 @@ async def requests_close_post(request: Request, id: int,
     notify_.send()
 
     return RedirectResponse("/requests", status_code=int(HTTPStatus.SEE_OTHER))
+
+
+@router.post("/pkgbase/{name}/flag")
+@auth_required(True, redirect="/pkgbase/{name}")
+async def pkgbase_flag(request: Request, name: str):
+    pkgbase = get_pkg_or_base(name, PackageBase)
+
+    has_cred = request.user.has_credential("CRED_PKGBASE_FLAG")
+    if has_cred and not pkgbase.Flagger:
+        now = int(datetime.utcnow().timestamp())
+        with db.begin():
+            pkgbase.OutOfDateTS = now
+            pkgbase.Flagger = request.user
+
+    return RedirectResponse(f"/pkgbase/{name}",
+                            status_code=int(HTTPStatus.SEE_OTHER))
+
+
+@router.post("/pkgbase/{name}/unflag")
+@auth_required(True, redirect="/pkgbase/{name}")
+async def pkgbase_unflag(request: Request, name: str):
+    pkgbase = get_pkg_or_base(name, PackageBase)
+
+    has_cred = request.user.has_credential(
+        "CRED_PKGBASE_UNFLAG", approved=[pkgbase.Flagger])
+    if has_cred:
+        with db.begin():
+            pkgbase.OutOfDateTS = None
+            pkgbase.Flagger = None
+
+    return RedirectResponse(f"/pkgbase/{name}",
+                            status_code=int(HTTPStatus.SEE_OTHER))
diff --git a/test/test_packages_routes.py b/test/test_packages_routes.py
index 4118744a..db36d1a9 100644
--- a/test/test_packages_routes.py
+++ b/test/test_packages_routes.py
@@ -1689,3 +1689,34 @@ def test_requests_close_post_rejected(client: TestClient, user: User,
     assert pkgreq.Status == REJECTED_ID
     assert pkgreq.Closer == user
     assert pkgreq.ClosureComment == str()
+
+
+def test_pkgbase_flag(client: TestClient, user: User, maintainer: User,
+                      package: Package):
+    pkgbase = package.PackageBase
+
+    # We shouldn't have flagged the package yet; assert so.
+    assert pkgbase.Flagger is None
+
+    # Flag it.
+    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    endpoint = f"/pkgbase/{pkgbase.Name}/flag"
+    with client as request:
+        resp = request.post(endpoint, cookies=cookies)
+    assert resp.status_code == int(HTTPStatus.SEE_OTHER)
+    assert pkgbase.Flagger == user
+
+    # Now, test that the 'maintainer' user can't unflag it, because they
+    # didn't flag it to begin with.
+    maint_cookies = {"AURSID": maintainer.login(Request(), "testPassword")}
+    endpoint = f"/pkgbase/{pkgbase.Name}/unflag"
+    with client as request:
+        resp = request.post(endpoint, cookies=maint_cookies)
+    assert resp.status_code == int(HTTPStatus.SEE_OTHER)
+    assert pkgbase.Flagger == user
+
+    # Now, unflag it for real.
+    with client as request:
+        resp = request.post(endpoint, cookies=cookies)
+    assert resp.status_code == int(HTTPStatus.SEE_OTHER)
+    assert pkgbase.Flagger is None
diff --git a/test/test_user.py b/test/test_user.py
index 43cbf58a..771611d8 100644
--- a/test/test_user.py
+++ b/test/test_user.py
@@ -166,7 +166,6 @@ def test_user_minimum_passwd_length():
 
 
 def test_user_has_credential():
-    assert user.has_credential("CRED_PKGBASE_FLAG")
     assert not user.has_credential("CRED_ACCOUNT_CHANGE_TYPE")