Hello,
what about using a Web of Trust (PGP keys) like mechanic ? Yes, malicious
users will still get accounts this way, but my hope/thought is that the
malicious accounts form group clusters in the trust graph, so that once 1
malicious user gets detected, many more can be easily detected purged
together. With time it might be even be possible to have some warning
alogrithm if multiple accounts that only lately gained trust immedeately
vouch for many other new accounts. I know there's always the question how
people that don't know anyone well can gain trust. In my idea I'd also
vouch for someone who made multiple constructive comments on an AUR pkg of
mine in a timespan of more than a year.
Regards,
Oskar
Am Donnerstag, 28. Mai 2026 02:03:44 CEST schrieb David C Rankin:
On 5/27/26 6:38 PM, Aaron Liu wrote:
I don't see why requiring names would stop it. We'd end up
with way less actual names (in fact mine isn't my actual) and
all of the uploader accounts I see have a name in the username
you can actually search up.
Plus, age verification is incredibly unpopular here and all
the arguments against it apply.
If a package is orphaned, it probably isn't used.
Thanks Aaron,
Yes, you are certainly right that a full-name alone isn't any
type silver-bullet that will suddenly stop malicious attempts to
take over AUR accounts, but by the same token, doing nothing
doesn't seem like an answer either.
