Length of tine has existed accounts less than 6 months either provide another 
account that is 6 or more months old or no access.Sent from my Galaxy
-------- Original message --------From: [email protected] Date: 6/17/26  14:09  
(GMT-05:00) To: [email protected] Subject: Re: A possible way to 
secure the AUR orphaned packages from being easy target for malicious scripts. 
Hi, There should be a formal RFC opened on the gitlab.I think for a start 
better signup verification to prevent automated account generation is needed. 
Rate limit and catpcha will increase the attack costs. No need to implement 
phone numbers or government ID. Even some PoW sha256 in browser stuff will slow 
down attackers.For adoption of orphans, maybe a mod queue? So at least only one 
malicious package can be uploaded at a time.I think aged accounts with good 
commits and account takeovers are out of scope here.Limiting automated new 
account > orphan takeover > malicious commit, should be the focus.Regards,On 
June 17, 2026 5:40:25 PM UTC, Braeden Theriault <[email protected]> 
wrote:>At the end of the day, before we can decide on a solution, we need 
to>determine how much convenience and freedom the community is willing to 
give>up in exchange for better security.>>As far I can tell, the general 
consensus is not much, but maybe something>like a community poll could help 
guide the decisions on where to go?>>On Wed, Jun 17, 2026, 11:25 a.m. Jay Paul 
<[email protected]> wrote:>>> Respectfully, I don’t think anything needs to 
be changed on the AUR. I’ve>> adopted packages only because it was easy.>>>> If 
I had needed to jump through hoops to do so, then I certainly would>> have left 
it for someone else.>>>> On Wed, Jun 17, 2026 at 12:46 PM Frank W. 
<[email protected]> wrote:>>>>> In my opinion having external account 
linking, although somewhat useful>>> to combat this, would be absolutely 
horrible. Not to mention the fact>>> that not everyone is registered or has any 
kind of interest in having an>>> account on such services.>>>>>> On 6/17/26 
13:20, Braeden Theriault wrote:>>> > Why not add an account link requirement 
for package adoption? Say>>> > linking a Google, proton, or GitHub account as 
those are atleast a>>> > little more difficult to script into existence.>>> > 
For most people who have atleast one other account it wouldn't be an>>> > 
issue, but a script or attacker would have to create said accounts at>>> > the 
same time as the arch accounts.>>> > A side effect would be slowing down the 
rate a human attacker could>>> > create new accounts aswell.>>>>>

Reply via email to