2FA would be TOPT and not SMS based (insecure, and privacy issues) it have barely any impact on account generation.
On May 29, 2026 5:22:16 PM UTC, Adrian Veenhoven <[email protected]> wrote: >Even if it is not an issue of compromised accounts, wouldn’t 2FA help to >reduce the number of new accounts created by bad actors? > >This would at least slow whatever automated workflow they have that goes >from account creation to them injecting the malicious scripts. > >2FA also doesn't feel as invasive as identity verification. > >On Thu, May 28, 2026 at 06:24 Pierre Chapuis <[email protected]> wrote: > >> Hello list. >> >> I didn't see what happened in this case exactly but in many cases this >> happened after a maintainer change, not because of compromission of the >> existing maintainer's account, so 2FA wouldn't solve it. >> >> I think one of the most effective solutions would be requiring invites >> like e.g. lobste.rs does (https://lobste.rs/about#invitations). >> >> Requiring reviews by "high reputation" maintainers after an adoption for >> highly-used packages could also help. The various UIs (AUR web and helpers) >> could also surface this to the user (warn when a new version is by a >> different maintainer for instance. >> >> Finally, automated scans can always help I guess, but malicious people >> will often find ways to work around them. >> >> Best. >> >> -- >> Pierre Chapuis >>
