Useful list for those who do use Arch; I’ve only got like two things from AUR and neither is on that list (although I kinda recognize a couple with slightly different names, like what, knock off plugins for official stuff?)
I got yesterday an email how one of the packages from this list that I used to maintain was adopted.
AUR
Play stupid games win stupid prizes I guess.
Least surprising thing ever. Nothing is reviewed or approved, not even proforma
As an user of the AUR, this is devastating news to me. I am also guilty of accepting updates without reading the latest changes, even if
yayasks me if I want to. This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer. And to at least have a look if something suspicious is going in with the recent changes in the package recipe. AND to read in the communities and news.I don’t understand why there still no official announcement as a warning from the Archlinux team at https://archlinux.org/news/ . Is there a different place for security news specifically about the AUR to subscribe to? EDIT: https://archlinux.org/news/active-aur-malicious-packages-incident/ They did it, an official message.
The fact that the Arch maintainers seem to prefer Reddit over their own fucking news channel is what made me switch from Arch years ago. I got sick of upstream breaking changes fucking my system because they wouldn’t notify people through official channels, only to find it later of /r/archlinux 🙄🙄🙄
What are you using now?
After the end of Win10 I moved to arch but I think my week end will be filled with moving again. ^^
deleted by creator
since the 2022 grub incident, Arch has done a great job at notifying the news channel when “manual intervention required” AFAIK, and I don’t remember any instances of Arch maintainers only notifying Reddit (and I don’t think they notified Reddit for the grub incident either lol).
It’s been 4 years already? WTF?
deleted by creator
the arch news channel is for breaking changes to arch pacakges (so not the AUR) only. maybe you could subscribe to aur-general@lists.archlinux.org.
They are actually putting a message on the regular news feed about the AUR! https://archlinux.org/news/active-aur-malicious-packages-incident/ As it should be. It just took a bit too long in my opinion, as discussions are going on since yesterday.
I was hoping to subscribe with RSS. Not sure how to subscribe there.
it’s a mailing list, so heads up, if you subscribe you’re also gonna get other discussion like the forums.
https://lists.archlinux.org/mailman3/lists/aur-general.lists.archlinux.org/
There were announcements and security ping in the arch Linux discord… But I wish they’d be more vocal on this outside discord especially given discords controversy as of late
Thee’s a official Arch Linux D*scord?
No it’s unofficial but it’s I believe the biggest/primary arch Linux community discord .
In their roles chanel you can pick one to get security pings… major ones are typically also everyone pinged but some have those disabled
You’ll pry #archlinux from my cold dead hands
GOTDAMN
Wow that’s bad 🫢
(hopefully this doesn’t read as blaming the victims instead of the attackers but) I personally don’t think it’s that complicated to read the updates to AUR packages. It’s not any more hard than only commenting after reading the links that people post here instead of just the headlines—which we all do, right?
i wouldnt know where to get the info in the first place. when i use windows update i also dont reed any changelog because that shouldnt be the users job but the suppliers
