Arch Linux

Version: aurweb v5.0.0

AUR has the following option (https://aur.archlinux.org/account/<user>/edit/):

> Hide Email Address: [ ]
> If you do not hide your email address, it is visible to all registered AUR users. If you hide your email address, it is visible to members of the Arch Linux staff only.

Expected behavior:
It makes it seem that, whenever this option is checked, your email address is completely hidden from other AUR users.

Observed behavior:
However, it's very easy to find another user's email address. A few ways:

1) [mild] PKGBUILDs submitted by users usually have Maintainer: and Contributor: by-lines.
Users do not have to put their email addresses there, or they can put invalid emails (no one will really check), but most users apparently put their correct email address there.

2) [severe] If you flag another user's package (e.g. for deletion), AUR will send the following email to you:

From: notify@aur.archlinux.org
To: aur-requests@lists.archlinux.org
Subject: Deletion Request for <package>
Cc: <user who flagged>, <user who maintains the package>

Therefore it's very easy to bypass that option and effectively figure out any* AUR user's email address: Just flag one of their packages.

* technically speaking it's not anyone, but only users who have at least one submitted package


I don't argue for email's secrecy here, however why do we have this option in the first place if it's so easy to bypass it? I think we should either (i) remove package maintainer from CC when sending emails (i.e. at least, send a separate email to them) or (ii) completely remove this option from aurweb.