On 6/12/26 2:22 AM, Iyán Méndez Veiga wrote:
I think making AUR read-only would affect its functionality too much. I like the proposal of modifying the adoption step only. Perhaps adding a time delay is also enough, and would not add extra manual work to Arch Linux developers.
For example, it could be something like this:
Min account age before being able to submit a new PKGBUILD: 24h Min account age before being able to adopt orphan PKGBUILD: 7d
Of course, this does not protect against account takeovers, or against patient attackers that can wait a week to adopt packages, but it would improve things a little bit without affecting AUR too much. They cannot simply create new accounts after old ones are banned, they have to wait another week.
If all the attacks happened via the PKGBUILD adoption way, perhaps the requirements can be toughen even more, like requiring a min number of packages already being maintained by the account before allowing to orphan.
I like those ideas, I also think we can consider: 1) holding first X (10?) commits for new users until reviewed by human-in-the-loop; AND 2) holding commits for new users for X (30?) day period until reviewed by human-in-the-loop. That does add moderator involvement on the *front-end*, but it would take no more moderator time than reverting changes to remove the malware and banning the user currently done on the *back-end*. That would the malware from reaching AUR. A big thanks to the moderators and the community's efforts. This is no fun, but appears to be a new-normal. -- David C. Rankin, J.D.,P.E.