First - Thank you to all package maintainers and administrators. You're the magic behind all this.
I'd also agree that identity verification doesn't provide much value, and likely presents more concerns. To Oskar's point below, we are not alone with this challenge, and it appears we can leverage others that have implemented processes to create "trusted users." - account cool down periods for new accounts is probably good. - identification or responsibility for who "vouched" for a user is probably good. - identifying suspicious behavior such as claiming an unusual number of orphaned packages is probably good. Changes discussed as needed to be able to address these issues are likely significant and foundational to how the AUR works. Monitoring to identify unusual/suspicious activity and link it through the current system may be a valid approach to help mitigate the risk. Controls to adding new maintainers or trusted users are also likely needed to reduce the cycle of malicious activity. Assuming it's frequent enough to warrant the energy. --Announcements on the AUR and this distribution list along with "validate what you're installing" have mostly been adequate for me as a user. If this discussion warrants further coordination and organization, what are the next steps or correct forum to manage feedback and ideas? Thanks, Confusedwiseman On Thursday, May 28th, 2026 at 12:03 PM, Oskar Roesler <[email protected]> wrote: > On Donnerstag, 28. Mai 2026 14:00:10 Mitteleuropäische Sommerzeit, kleines > Filmröllchen wrote: > > I agree that accounts should have a cooldown period, and there > > are probably some signup limits that can be put in place. A > > proof-of-work scheme that requires more computing power than the > > current signup pseudo-captcha sounds useful (there are existing > > open-source and privacy-respecting implementations of this, but > > I don’t remember their names and don’t have time to look them up > > right now). > > > PoW only makes sense against fully-automated, highly scaled attacks. The > current AUR malware attacks aren't like this, they are puposefully > targetted. PoW would only heat up the Earth for nothing, bc doing this > challenge a couple of times a week won't be a problem for attackers. > > > Am 28.05.26 um 09:55 schrieb Pierre Chapuis: > >> I think one of the most effective solutions would be requiring > >> invites like e.g. lobste.rs does > >> (https://lobste.rs/about#invitations). > > > > This would prevent isolated but still good-faith contributors > > from publishing on the AUR. For social networks like lobste.rs > > and many Fediverse instances, invites are a great approach, > > since people want to talk to their friends/acquaintances. The > > AUR is not a social network except in the broadest possible > > sense. While some people might start using Arch and publish to > > the AUR because someone recommended it to them, others may not, > > and that doesn’t automatically make them less qualified, that > > just makes them less part of a social circle where Arch is > > already widespread. > > I don't think this is as much of a problem & somewhat a necessary evil. > When you take this concept further like with the Web of Trust alike concept > proposal I showed in a previous email, it's more about malicious actors > inviting/vouching/proofing each other, therefore forming clusters in the > user graph that can be checked much more easily. Patterns of malicious > actors should even be algorithmically detectable in the long-term. > In the AUR, new comments would still be allowed for any user, which makes > this very distinct from lobste.rs. And as pointed out previously, > vouching for someone I don't know IRL is still possible, when it's less > about gatekeeping & more about tracking who vouched for whom. > > Regards, > > Oskar >
