On Wed, 2026-06-17 at 10:07 +0200, Evert Vorster wrote: > > If the goal is to 100% secure the AUR, it is going to take 100% > effort. > But according to the old 80/20 rule, we can achieve 80% security with > 20% effort.
Right now, we are pretty much at Zero which is lifted to 10% only by the great work of the maintainers and cleaners. I agreed with "aiming for 80% at 20% of the effort". I also suggest to look at the long term sustainability -- everyone is excited and supportive at the begin. But this fades fast usually. > In my opinion, we should aim to close the door these attackers got > through, without over-engineering things. Just two questions: 1) how are Banks doing it <-- probably over-engineered, but safest practise 2) how are GitHub and Co. doing it <-- probably too unsafe yet? > That would be the least effort for the most gain. SIM registration is well regulated in (almost) all countries these days. Maybe link it to a phone number and confirm it? > > > Once a certain number of existing AUR maintainers have vouched for > the > new user, they get write access, AURSCAN was my first ever contribution related to AUR (simply I immediately needed something). You just killed me 😄 -- no developer knows me or vouched for me. > But, it would stop an llm registering hundreds or thousands of new > maintainers and then using them for nefarious purposes. Which is probably the biggest actual threat right now, agreed. > How to kick it off? Citing the comic strip, where the whole internet stands on one fragile IS project, I still would like to suggest: try to get a Corporate Sponsor onboard (Valve, Anthrophic) and explain to them how they benefit from it. In my corporate experience, the needed infrastructure and effort is nothing that will run on volunteers and good will alone. Or crowd fund AUR. I mean, I pay now Anthrophic for every AUR package I am installing. Simply because this comes much cheaper than trashing my development computers and reinstall everything. > Maybe the trusted pool can be populated with current > maintainers that maintain packages Make it a compensated job and candidates will show up for votes. Best and cheers Andreas
