one thing hwanii menationed is interesting,
he said auth_mysql wants AK and TK to unlock the repo. that's why we believe unauthorized user can not use TSN to download packages. but if auth-client is open source, then people can hack down to find out how the hardware hash can all other local info is generated, save them, use them one another machine to cheat auth_mysql this machine is also authorized. That's possible, I think.
my new study on auth process tells me, when axtu trying to download packages, only ak&tk is required so leterally any machine has the ak&tk, can download packages.
To avoid this, the fomer axtu developer actually does this:
but if both axtu and auth-client are open source, people can simply disable all the first operations. and the last one as well, if it is not forced by the server side.