Even if it is not an issue of compromised accounts, wouldn’t 2FA help to reduce the number of new accounts created by bad actors?
This would at least slow whatever automated workflow they have that goes from account creation to them injecting the malicious scripts. 2FA also doesn't feel as invasive as identity verification. On Thu, May 28, 2026 at 06:24 Pierre Chapuis <[email protected]> wrote: > Hello list. > > I didn't see what happened in this case exactly but in many cases this > happened after a maintainer change, not because of compromission of the > existing maintainer's account, so 2FA wouldn't solve it. > > I think one of the most effective solutions would be requiring invites > like e.g. lobste.rs does (https://lobste.rs/about#invitations). > > Requiring reviews by "high reputation" maintainers after an adoption for > highly-used packages could also help. The various UIs (AUR web and helpers) > could also surface this to the user (warn when a new version is by a > different maintainer for instance. > > Finally, automated scans can always help I guess, but malicious people > will often find ways to work around them. > > Best. > > -- > Pierre Chapuis >
