AUR web interface

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:
https://projects.archlinux.org/aurweb.git/
Tasklist

FS#71846 - "Hide Email Address" option can be easily worked around, effectively not useful

Attached to Project: AUR web interface
Opened by Thiago Perrotta (thiagowfx) - Monday, 16 August 2021, 02:18 GMT
Task Type Bug Report
Category Security
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version git
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

Version: aurweb v5.0.0

AUR has the following option (https://aur.archlinux.org/account/<user>/edit/):

> Hide Email Address: [ ]
> If you do not hide your email address, it is visible to all registered AUR users. If you hide your email address, it is visible to members of the Arch Linux staff only.

Expected behavior:
It makes it seem that, whenever this option is checked, your email address is completely hidden from other AUR users.

Observed behavior:
However, it's very easy to find another user's email address. A few ways:

1) [mild] PKGBUILDs submitted by users usually have Maintainer: and Contributor: by-lines.
Users do not have to put their email addresses there, or they can put invalid emails (no one will really check), but most users apparently put their correct email address there.

2) [severe] If you flag another user's package (e.g. for deletion), AUR will send the following email to you:

From: notify@aur.archlinux.org
To: aur-requests@lists.archlinux.org
Subject: Deletion Request for <package>
Cc: <user who flagged>, <user who maintains the package>

Therefore it's very easy to bypass that option and effectively figure out any* AUR user's email address: Just flag one of their packages.

* technically speaking it's not anyone, but only users who have at least one submitted package


I don't argue for email's secrecy here, however why do we have this option in the first place if it's so easy to bypass it? I think we should either (i) remove package maintainer from CC when sending emails (i.e. at least, send a separate email to them) or (ii) completely remove this option from aurweb.
This task depends upon

Loading...