June 2026 - Aur-dev - lists.archlinux.org

Sigstore/Rekor publishing for AUR push events
by Nemo 21 Jun '26

21 Jun '26

Hi all, I'd like feedback on adding optional Sigstore/Rekor publishing to aurweb before I work on a patch. I'd like to do this to support robust dependency cooldowns in AUR helpers. The problem: aurweb has no trustworthy history of when a package was pushed. PackageBases.ModifiedTS (LastModified in API) is the only trusted value. Dependency cooldowns (as recently adopted by npm/crates.io) let clients have a waiting period before installing a package. Now that yay/paru both support hooks, doing this is quite trivial on the client side except for one problem: A client doesn't know what is a "1-day old" commit that clears the cooldown. Relying on commit timestamps obviously doesn't work since those are client-side. Proposal: on each accepted push, submit a small signed attestation to Rekor. Rekor returns an inclusion proof and a trusted timestamp. It's append-only by construction, verifiable without trusting the AUR, and cheap for us — Rekor holds the log, the hook in update.py is small and can be feature-flagged off. Clients should be able to search Rekor for discovering the commit as per their policy. Alternative: a GitHub-style events API (https://api.github.com/repos/archlinux/aurweb/events) We save each commit and the corresponding timestamp, but this feels like more work for little gain. I lean toward Rekor, but I'd welcome opinions on the external dependency and whether a hybrid makes sense. Happy to prototype the update.py hook if there's interest. I don't know yet what form the attestation will take, but opinions/prior-art welcome. - Nemo

1 0

Fwd: AUR Ownership Notification for android-support-repository
by Sasha Moak 12 Jun '26

12 Jun '26

Hello! I am (or was) the owner of this package ( https://aur.archlinux.org/pkgbase/android-support-repository/) However, it might have gotten taken over and it's unclear what the new owner is trying to do here... https://aur.archlinux.org/cgit/aur.git/tree/android-support-repository-deps… It's definitely suspect as this should not need to install anything from npm. And the new user was recently registered ( 2026-06-11 (UTC)) and is making the same changes to other aur packages: 1. https://aur.archlinux.org/cgit/aur.git/commit/?h=blinkenlib&id=3a4465e6677b… 2. https://aur.archlinux.org/cgit/aur.git/commit/?h=monochrome&id=ac99c178127f… Definitely looking strange to me... Not sure how the new user took over my package though? I thought I'd at least have the ability to approve/deny? Just wanted to drop the message here to see if there's a way to either delete the package entirely or remove the user? And to look into whatever it is they're doing? Best, Sasha Moak ---------- Forwarded message --------- From: <notify(a)aur.archlinux.org> Date: Thu, Jun 11, 2026 at 10:13 AM Subject: AUR Ownership Notification for android-support-repository To: <sasha.moak(a)gmail.com> The package android-support-repository [1] was adopted by huldaschurch [2]. [1] https://aur.archlinux.org/pkgbase/android-support-repository/ [2] https://aur.archlinux.org/account/huldaschurch/

3 3

Re: Aur-dev Digest, Vol 15, Issue 1
by Web4app 12 Jun '26

12 Jun '26

Active Inline images AURA Ecosystem, Qubuhub gravatar.com/167559384web4application On Fri, 12 Jun 2026 at 9:07 AM <aur-dev-request(a)lists.archlinux.org> wrote: > Send Aur-dev mailing list submissions to > aur-dev(a)lists.archlinux.org > > To subscribe or unsubscribe via email, send a message with subject or > body 'help' to > aur-dev-request(a)lists.archlinux.org > > You can reach the person managing the list at > aur-dev-owner(a)lists.archlinux.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Aur-dev digest..."Today's Topics: > > 1. Fwd: AUR Ownership Notification for android-support-repository > (Sasha Moak) > 2. Re: Fwd: AUR Ownership Notification for android-support-repository > (Jonathan Grotelüschen) > > > > ---------- Forwarded message ---------- > From: Sasha Moak <sashamoak(a)gmail.com> > To: aur-dev(a)lists.archlinux.org > Cc: > Bcc: > Date: Thu, 11 Jun 2026 12:53:15 -0700 > Subject: Fwd: AUR Ownership Notification for android-support-repository > Hello! I am (or was) the owner of this package ( > https://aur.archlinux.org/pkgbase/android-support-repository/) > > However, it might have gotten taken over and it's unclear what the new > owner is trying to do here... > > > https://aur.archlinux.org/cgit/aur.git/tree/android-support-repository-deps… > > It's definitely suspect as this should not need to install anything from > npm. And the new user was recently registered ( 2026-06-11 (UTC)) and is > making the same changes to other aur packages: > > 1. > https://aur.archlinux.org/cgit/aur.git/commit/?h=blinkenlib&id=3a4465e6677b… > 2. > https://aur.archlinux.org/cgit/aur.git/commit/?h=monochrome&id=ac99c178127f… > > Definitely looking strange to me... > > Not sure how the new user took over my package though? I thought I'd at > least have the ability to approve/deny? > > Just wanted to drop the message here to see if there's a way to either > delete the package entirely or remove the user? And to look into whatever > it is they're doing? > > Best, > > Sasha Moak > > ---------- Forwarded message --------- > From: <notify(a)aur.archlinux.org> > Date: Thu, Jun 11, 2026 at 10:13 AM > Subject: AUR Ownership Notification for android-support-repository > To: <sasha.moak(a)gmail.com> > > > The package android-support-repository [1] was adopted by huldaschurch > [2]. > > [1] https://aur.archlinux.org/pkgbase/android-support-repository/ > [2] https://aur.archlinux.org/account/huldaschurch/ > > > > ---------- Forwarded message ---------- > From: "Jonathan Grotelüschen" <tippfehlr(a)archlinux.org> > To: aur-dev(a)lists.archlinux.org, sashamoak(a)gmail.com > Cc: > Bcc: > Date: Thu, 11 Jun 2026 23:54:35 +0200 > Subject: Re: Fwd: AUR Ownership Notification for android-support-repository > On 2026-06-11 21:53, Sasha Moak wrote: > > Hello! I am (or was) the owner of this package (https:// > > aur.archlinux.org/pkgbase/android-support-repository/ <https:// > > aur.archlinux.org/pkgbase/android-support-repository/>). > > > > Hi Sasha! > > > However, it might have gotten taken over and it's unclear what the new > > owner is trying to do here... > > > > https://aur.archlinux.org/cgit/aur.git/tree/android-support-repository- > > deps.install?h=android-support- > > repository&id=3bd1a2091b16e6e75d7a0a9a6fd19a07f578a4dc <https:// > > aur.archlinux.org/cgit/aur.git/tree/android-support-repository- > > deps.install?h=android-support- > > repository&id=3bd1a2091b16e6e75d7a0a9a6fd19a07f578a4dc> > > I already deleted the malicious commit and banned the account, and now > also disowned the package so you can adopt it again. > > > > > It's definitely suspect as this should not need to install anything from > > npm. And the new user was recently registered ( 2026-06-11 (UTC)) and is > > making the same changes to other aur packages: > > > > 1. https://aur.archlinux.org/cgit/aur.git/commit/? > > h=blinkenlib&id=3a4465e6677b1531161dc36fc3c2e64207ba02dd <https:// > > aur.archlinux.org/cgit/aur.git/commit/? > > h=blinkenlib&id=3a4465e6677b1531161dc36fc3c2e64207ba02dd> > > 2. https://aur.archlinux.org/cgit/aur.git/commit/? > > h=monochrome&id=ac99c178127f5adad5fd62d44d72d0b545ca23e7 <https:// > > aur.archlinux.org/cgit/aur.git/commit/? > > h=monochrome&id=ac99c178127f5adad5fd62d44d72d0b545ca23e7> > > > > Definitely looking strange to me... > > > > Not sure how the new user took over my package though? I thought I'd at > > least have the ability to approve/deny? > > > > My guess is that you disowned the package when declaring the package as > deprecated. That would match the notification email. > > > Just wanted to drop the message here to see if there's a way to either > > delete the package entirely or remove the user? And to look into > > whatever it is they're doing? > > > > Best, > > > > Sasha Moak > > Best, > Jonathan > _______________________________________________ > Aur-dev mailing list -- aur-dev(a)lists.archlinux.org > To unsubscribe send an email to aur-dev-leave(a)lists.archlinux.org >

1 0

no new cgterm
by Luna Jernberg 06 Jun '26

06 Jun '26

https://aur.archlinux.org/packages/cgterm#comment-1074228

1 0