On 12/06/2026 09:12, 1F616EMO wrote:
As i see, recently theres very much malicioud packages, that i decided to stop updating my aur packages. We could put aur read only, so we can remove all malware and figure solutions before new one arrives.It seems like only orphaned packages are affected. We could pause adoption or introduce a "human-in-the-loop" approach, though making the entire AUR read-only is too harsh and would affect legitimate packages and established maintainers.
I think making AUR read-only would affect its functionality too much. I like the proposal of modifying the adoption step only. Perhaps adding a time delay is also enough, and would not add extra manual work to Arch Linux developers.
For example, it could be something like this: Min account age before being able to submit a new PKGBUILD: 24h Min account age before being able to adopt orphan PKGBUILD: 7dOf course, this does not protect against account takeovers, or against patient attackers that can wait a week to adopt packages, but it would improve things a little bit without affecting AUR too much. They cannot simply create new accounts after old ones are banned, they have to wait another week.
If all the attacks happened via the PKGBUILD adoption way, perhaps the requirements can be toughen even more, like requiring a min number of packages already being maintained by the account before allowing to orphan.
-- Iyán Méndez Veiga GPG Key: 204C 461F BA8C 81D1 0327 E647 422E 3694 311E 5AC1
OpenPGP_signature.asc
Description: OpenPGP digital signature
