On 5/27/26 6:38 PM, Aaron Liu wrote:
I don't see why requiring names would stop it. We'd end up with way less
actual names (in fact mine isn't my actual) and all of the uploader
accounts I see have a name in the username you can actually search up.
Plus, age verification is incredibly unpopular here and all the
arguments against it apply.
If a package is orphaned, it probably isn't used.
Thanks Aaron,
Yes, you are certainly right that a full-name alone isn't any type
silver-bullet that will suddenly stop malicious attempts to take over
AUR accounts, but by the same token, doing nothing doesn't seem like an
answer either.
I don't like these topics any more than the normal person, but I do
follow supply-chain and repository attacks and the uptick in frequency
across the board for all sites is alarming. The larger point is that as
it currently exists, AUR is a wide-open repository for any individual to
use in a malicious way.
I think it is worth discussing what options are available to mitigate
the risk that poses to Arch/AUR users. With the uptick of malicious
activity seen just in the past few days, it may be a good time to think
through what, if anything, can be done to harden AUR.
I wish I had the answer, and if I did I'd waive my magic wand and
ensure AUR stayed safe, trusted and secure henceforth. Unfortunately,
the real-world doesn't work that way.
I don't know what options/tools are available to the Arch Dev/Sec
folks, that's why I have to leave it up to those smarter than I there.
What I want to avoid, if possible, is some larger event that Claudia
can't fix with speedy account deletion and a force push that does real
damage to AUR users and its reputation in the process.
Good discussion by all, and if something comes out of it that helps
tighten and secure AUR in some way, we are all the better for it.
--
David C. Rankin, J.D.,P.E.
