There were announcements and security ping in the arch Linux community discord… But I wish they’d be more vocal on this outside discord especially given discords controversy as of late
Update: they finally posted about it in the arch news feed last night… A bit late but better than never. Npm removed the malicious package, but then the bad actors started using bun instead…
As others have proposed, I really think that orphaned packages should require a moderator of the aur to approve the commit and acquisition of an orphaned package. Currently nothing stops someone from spinning up accounts and hijacking these abandoned projects
There were announcements and security ping in the arch Linux community discord… But I wish they’d be more vocal on this outside discord especially given discords controversy as of late
Update: they finally posted about it in the arch news feed last night… A bit late but better than never. Npm removed the malicious package, but then the bad actors started using bun instead…
As others have proposed, I really think that orphaned packages should require a moderator of the aur to approve the commit and acquisition of an orphaned package. Currently nothing stops someone from spinning up accounts and hijacking these abandoned projects
Thee’s a official Arch Linux D*scord?
No it’s unofficial but it’s I believe the biggest/primary arch Linux community discord .
In their roles chanel you can pick one to get security pings… major ones are typically also everyone pinged but some have those disabled
You’ll pry #archlinux from my cold dead hands