Hello,
Am 28.05.26 um 04:18 schrieb [email protected]:
I am against identity verification, this exposes honest users to identity theft
when/if the AUR is compromised, allows for easier censorship of packages that
are legal but targeted by groups (yt-dlp vs RIAA).
As others have noted, that is a horrible idea and defeats the great
achievements in anonymity and freedom (including freedom from
surveillance and government overreach) of the internet.
Moderation queues and mapping tools techniques and procedures can help detect
and prevent waves.
1 day old registered users auto adopting orphaned packages should not have been
an attack vector.
I agree that accounts should have a cooldown period, and there are
probably some signup limits that can be put in place. A proof-of-work
scheme that requires more computing power than the current signup
pseudo-captcha sounds useful (there are existing open-source and
privacy-respecting implementations of this, but I don’t remember their
names and don’t have time to look them up right now).
Am 28.05.26 um 09:55 schrieb Pierre Chapuis:
I think one of the most effective solutions would be requiring invites like
e.g. lobste.rs does (https://lobste.rs/about#invitations).
This would prevent isolated but still good-faith contributors from
publishing on the AUR. For social networks like lobste.rs and many
Fediverse instances, invites are a great approach, since people want to
talk to their friends/acquaintances. The AUR is not a social network
except in the broadest possible sense. While some people might start
using Arch and publish to the AUR because someone recommended it to
them, others may not, and that doesn’t automatically make them less
qualified, that just makes them less part of a social circle where Arch
is already widespread.
Requiring reviews by "high reputation" maintainers after an adoption for
highly-used packages could also help. The various UIs (AUR web and helpers) could also
surface this to the user (warn when a new version is by a different maintainer for
instance.
This sounds like one of the best possible solutions. New packages don’t
really matter, since nobody uses them, and people are more likely to
check the PKGBUILD for packages they are newly installing anyways.
Typosquatting is a related issue, but I don’t know if that has affected
the AUR so far, and it also doesn’t affect updates that go through an
AUR helper.
I don’t claim to know what the workload on AUR maintainers is, but if
possible, they should handle this. Otherwise, it would be good to have a
more automatic feature that allows users to flag lesser-used packages
with maintainer changes, which otherwise do not automatically require
review. After all, there has to be some cutoff for package popularity
below which no automatic review is invoked (to not overload the
maintainers).
Automatic review seems to be pretty much pointless. It can be as
inocuous as a maliciously-crafted tarball that is pulled from almost the
same upstream location as before. There’s a reason that malware scanners
are not perfect.
~ kleines Filmröllchen
