Hi all, I am against identity verification, this exposes honest users to identity theft when/if the AUR is compromised, allows for easier censorship of packages that are legal but targeted by groups (yt-dlp vs RIAA).
It also doesn't solve the problem of compromised AUR accounts pushing malicious updates. (Especially as most payloads target ssh keys and worm capabilities) I think efforts to solve supply chain attacks we should focus around hardening popular package owners such as mandatory 2FA for popular users (like Python PIP ecosystem did) and automated scanning solutions that detect issues (aws canarytoken triggered from a ci/cd leaked .env?) Moderation queues and mapping tools techniques and procedures can help detect and prevent waves. 1 day old registered users auto adopting orphaned packages should not have been an attack vector. User education about packages published from a new author or signed by a new GPG key should have additional alerting in AUR helpers. Would love to see some of our discussed plans and solutions become AUR gitlab issues for us to focus development effort. There is maybe also the potential for applying for grants or engaging in a sponsor to offer dedicated dependency firewall security services for the AUR (socket.dev?) Regards,
