AUR Changes Affecting Your Privacy

As a registered AUR user, I have just received the following email.

Dear AUR user,

The next aurweb release, which will be released on 2017-12-03, includes
a public interface to obtain a list of user names of all registered
users. This means that, starting on 2017-12-03, your user name will be
visible to the general public. The user name is the account name you
specified when registering, and it is the only information included in
this list. Any other account information, such as your real name or your
e-mail address, will not be retrievable through this new interface.
However, note that some of that information might already be visible
directly or indirectly in other parts of the AUR web interface, such as
your public profile or content you submitted to the AUR.

If you do not agree to this change, please delete your account by
logging into the AUR web interface, going to your account details page
and clicking the account deletion link before 2017-12-03. This account
deletion is permanent and cannot be undone.

Thanks for using the AUR!

The Arch Linux Team
2 Likes

I got the same email. Having little/no use for my AUR account these days I deleted mine.

If I ever need to make contact with a package maintainer I'll create a new account for the job.

I don't understand why you would want to be able to list all usernames...

Looks to be this commit:

https://git.archlinux.org/aurweb.git/commit/?id=d9883ee64215ee91bfe1cc3e75c83ec6e6875671

1 Like

Possibly I'm missing something, but I still see no major difference. Currently, when logged in, I can see as well my, as the others' packages.

Zrzut ekranu z 2017-11-05 15-31-40

And:

The user name is the account name you specified when registering, and it is the only information included in this list.

Which changes do you find innacceptable?


It's this weird thing about anyone on the web being able to pull a list of all usernames. I can't see the reason behind that.

Agreed. Still I see no additional threat.

1 Like

Useful mailing list links in my Arch thread: https://bbs.archlinux.org/viewtopic.php?id=231564

1 Like

Thanks for looking into it for us @jonathon

I for one, can't see the harm in providing a list of usernames. Hell, most forum software does that out of the box.

The part that gets me, is the "public" term. If you can get a list when you are not even logged in, I can't see why this would be nessesary.
But then again, it's not hard to create a user and then get the list either.

2 Likes

Agree. Don't quite see the privacy problem with usernames, but that doesn't mean one should be able to easily obtain the list.

I'm not maintaining any packages, so I'll make when I need to message a maintainer & then deleted it. Create a new named user next time I have to do the same.

Damn such databases I say. (Even though this change currently seems harmless.)

Forum kindly sponsored by