Hi, 
There should be a formal RFC opened on the gitlab.

I think for a start better signup verification to prevent automated account 
generation is needed. Rate limit and catpcha will increase the attack costs. No 
need to implement phone numbers or government ID. Even some PoW sha256 in 
browser stuff will slow down attackers.

For adoption of orphans, maybe a mod queue? So at least only one malicious 
package can be uploaded at a time.

I think aged accounts with good commits and account takeovers are out of scope 
here.

Limiting automated new account > orphan takeover > malicious commit, should be 
the focus.

Regards,

On June 17, 2026 5:40:25 PM UTC, Braeden Theriault <[email protected]> 
wrote:
>At the end of the day, before we can decide on a solution, we need to
>determine how much convenience and freedom the community is willing to give
>up in exchange for better security.
>
>As far I can tell, the general consensus is not much, but maybe something
>like a community poll could help guide the decisions on where to go?
>
>On Wed, Jun 17, 2026, 11:25 a.m. Jay Paul <[email protected]> wrote:
>
>> Respectfully, I don’t think anything needs to be changed on the AUR. I’ve
>> adopted packages only because it was easy.
>>
>> If I had needed to jump through hoops to do so, then I certainly would
>> have left it for someone else.
>>
>> On Wed, Jun 17, 2026 at 12:46 PM Frank W. <[email protected]> wrote:
>>
>>> In my opinion having external account linking, although somewhat useful
>>> to combat this, would be absolutely horrible. Not to mention the fact
>>> that not everyone is registered or has any kind of interest in having an
>>> account on such services.
>>>
>>> On 6/17/26 13:20, Braeden Theriault wrote:
>>> > Why not add an account link requirement for package adoption? Say
>>> > linking a Google, proton, or GitHub account as those are atleast a
>>> > little more difficult to script into existence.
>>> > For most people who have atleast one other account it wouldn't be an
>>> > issue, but a script or attacker would have to create said accounts at
>>> > the same time as the arch accounts.
>>> > A side effect would be slowing down the rate a human attacker could
>>> > create new accounts aswell.
>>>
>>

Reply via email to