[Slackbuilds-users] Arch User Repository compromise

[Shahab Vahedi]

Jun 12, 2026 Willy Sudiarto Raharjo:

> [...] unless we force all maintainers to
> submit updates via github/gitlab, this kind of situation is easy to
> reproduce, since you just need to know maintainer's email in order to
> submit a new updates on behalf of the original maintainer.

I'm not a fan of using those services, but if that's the price to pay, so be it.

I don't think using gitlab/github is the only way. For example:

1. SB can send emails to every maintainer, letting them set up a password. Later, when they use the submit form, they must fill this optional password field. After the submission, the CI behind the scene, checks if the provided pass matches the maintainer's pass...

2. We can use Forgeo instance from AlienBOB. I'm pretty sure he'll help us there despite his size limit. Or we can run our own instance. I'll be more than happy to donate money in that direction.

3. People can send patches in the form of signed emails (as less popular of an option it might be, it still could ork).


> [...] we do weekly updates, so everyone can review the
> current week's progress in https://slackbuilds.org/ready/ before it's
> merged.

Rarely anyone is going to check that. Security is best kept in check when it is automatically enforced.


-Shahab