As an user of the AUR, this is devastating news to me. I am also guilty of accepting updates without reading the latest changes, even if yay asks me if I want to. This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer. And to at least have a look if something suspicious is going in with the recent changes in the package recipe. AND to read in the communities and news.
The fact that the Arch maintainers seem to prefer Reddit over their own fucking news channel is what made me switch from Arch years ago. I got sick of upstream breaking changes fucking my system because they wouldn’t notify people through official channels, only to find it later of /r/archlinux 🙄🙄🙄
since the 2022 grub incident, Arch has done a great job at notifying the news channel when “manual intervention required” AFAIK, and I don’t remember any instances of Arch maintainers only notifying Reddit (and I don’t think they notified Reddit for the grub incident either lol.
As an user of the AUR, this is devastating news to me. I am also guilty of accepting updates without reading the latest changes, even if
yayasks me if I want to. This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer. And to at least have a look if something suspicious is going in with the recent changes in the package recipe. AND to read in the communities and news.I don’t understand why there still no official announcement as a warning from the Archlinux team at https://archlinux.org/news/ . Is there a different place for security news specifically about the AUR to subscribe to? EDIT: https://archlinux.org/news/active-aur-malicious-packages-incident/ They did it, an official message.
The fact that the Arch maintainers seem to prefer Reddit over their own fucking news channel is what made me switch from Arch years ago. I got sick of upstream breaking changes fucking my system because they wouldn’t notify people through official channels, only to find it later of /r/archlinux 🙄🙄🙄
What are you using now?
After the end of Win10 I moved to arch but I think my week end will be filled with moving again. ^^
since the 2022 grub incident, Arch has done a great job at notifying the news channel when “manual intervention required” AFAIK, and I don’t remember any instances of Arch maintainers only notifying Reddit (and I don’t think they notified Reddit for the grub incident either lol.
It’s been 4 years already? WTF?
deleted by creator
deleted by creator
the arch news channel is for breaking changes to arch pacakges (so not the AUR) only. maybe you could subscribe to aur-general@lists.archlinux.org.
They are actually putting a message on the regular news feed about the AUR! https://archlinux.org/news/active-aur-malicious-packages-incident/ As it should be. It just took a bit too long in my opinion, as discussions are going on since yesterday.
I was hoping to subscribe with RSS. Not sure how to subscribe there.
it’s a mailing list, so heads up, if you subscribe you’re also gonna get other discussion like the forums.
https://lists.archlinux.org/mailman3/lists/aur-general.lists.archlinux.org/