On Donnerstag, 28. Mai 2026 14:00:10 Mitteleuropäische Sommerzeit, kleines
Filmröllchen wrote:
I agree that accounts should have a cooldown period, and there
are probably some signup limits that can be put in place. A
proof-of-work scheme that requires more computing power than the
current signup pseudo-captcha sounds useful (there are existing
open-source and privacy-respecting implementations of this, but
I don’t remember their names and don’t have time to look them up
right now).
PoW only makes sense against fully-automated, highly scaled attacks. The
current AUR malware attacks aren't like this, they are puposefully
targetted. PoW would only heat up the Earth for nothing, bc doing this
challenge a couple of times a week won't be a problem for attackers.
Am 28.05.26 um 09:55 schrieb Pierre Chapuis:
I think one of the most effective solutions would be requiring
invites like e.g. lobste.rs does
(https://lobste.rs/about#invitations).
This would prevent isolated but still good-faith contributors
from publishing on the AUR. For social networks like lobste.rs
and many Fediverse instances, invites are a great approach,
since people want to talk to their friends/acquaintances. The
AUR is not a social network except in the broadest possible
sense. While some people might start using Arch and publish to
the AUR because someone recommended it to them, others may not,
and that doesn’t automatically make them less qualified, that
just makes them less part of a social circle where Arch is
already widespread.
I don't think this is as much of a problem & somewhat a necessary evil.
When you take this concept further like with the Web of Trust alike concept
proposal I showed in a previous email, it's more about malicious actors
inviting/vouching/proofing each other, therefore forming clusters in the
user graph that can be checked much more easily. Patterns of malicious
actors should even be algorithmically detectable in the long-term.
In the AUR, new comments would still be allowed for any user, which makes
this very distinct from lobste.rs. And as pointed out previously,
vouching for someone I don't know IRL is still possible, when it's less
about gatekeeping & more about tracking who vouched for whom.
Regards,
Oskar
