Hi I'm against giving up my name and stuff too just to maintain aur packages, and if I'm forced to, I'm just disown or not update anything I maintain.
In past, I have adopted some packages I saw were orphaned and I use myself, not because I wanted to maintain them, but I wanted to prevent someone else from taking them over to spread malware. How did I find out they were orphaned? My AUR helper listed them as orphaned. So here are my solutions 1. Improve moderation tools If subreddits can moderate better, and delete posts in under a minute, we can too. Improve UI, make it easy to spot suspicious changes, etc. I really don't wanna be specific, as I am not a reddit mod, but having a global moderation queue where accounts registered for a long time can flag something, could be a good start. 2. Have AUR helpers actually cooperate What I mean by this is, have them print a red warning that a maintainer has changed or if a package was recently adopted. Also have them print out a red warning if a user tries to update a package that was previously spreading malware, like "This package was previously taken over. If you installed that version, secure your machine". Have this be the default. Noone is gonna dig through aur helper man pages to find if this exists. This ofc would require some improvements with Aurweb RPC interface, but so be it. I am a little salty, as I was almost affected by a package that I used in past being taken over and pushing malware. I didn't find out about it until 3 weeks later. Luckily I was unaffected as I formatted my system a month prior, and not reinstalling that package. Regards On Thursday, 28 May 2026 at 04:04, David C Rankin <[email protected]> wrote: > On 5/27/26 6:38 PM, Aaron Liu wrote: > > I don't see why requiring names would stop it. We'd end up with way less > > actual names (in fact mine isn't my actual) and all of the uploader > > accounts I see have a name in the username you can actually search up. > > > > Plus, age verification is incredibly unpopular here and all the > > arguments against it apply. > > > > If a package is orphaned, it probably isn't used. > > > > Thanks Aaron, > > Yes, you are certainly right that a full-name alone isn't any type > silver-bullet that will suddenly stop malicious attempts to take over > AUR accounts, but by the same token, doing nothing doesn't seem like an > answer either. > > I don't like these topics any more than the normal person, but I do > follow supply-chain and repository attacks and the uptick in frequency > across the board for all sites is alarming. The larger point is that as > it currently exists, AUR is a wide-open repository for any individual to > use in a malicious way. > > I think it is worth discussing what options are available to mitigate > the risk that poses to Arch/AUR users. With the uptick of malicious > activity seen just in the past few days, it may be a good time to think > through what, if anything, can be done to harden AUR. > > I wish I had the answer, and if I did I'd waive my magic wand and > ensure AUR stayed safe, trusted and secure henceforth. Unfortunately, > the real-world doesn't work that way. > > I don't know what options/tools are available to the Arch Dev/Sec > folks, that's why I have to leave it up to those smarter than I there. > What I want to avoid, if possible, is some larger event that Claudia > can't fix with speedy account deletion and a force push that does real > damage to AUR users and its reputation in the process. > > Good discussion by all, and if something comes out of it that helps > tighten and secure AUR in some way, we are all the better for it. > > -- > David C. Rankin, J.D.,P.E. >
