This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer.
Unfortunately not foolproof either. I have no infected packages that I know of because I happen to be on a new install, but I caught wind of the LAST AUR botnet infiltration and switched to flatpaks or source builds. Since then I drifted back to AUR for convenience. I thought I was being clever only using AUR packages when I could be “sure” the author of the original software package pushed to AUR, and this was easy since devs who build on Arch typically recommend AUR whether they maintain the package or not. Today I found out spoofing package ownership is apparently easy and so is spoofing git credentials.
I was on Endeavour and it was incredible, but I’m not That Power User and I feel like part of the problem. The worst part of all of this is its owing to an influx of users who want the same ease of use they used to enjoy, but in Windows SOP is installing whatever the fuck you want on Internet Explorer and bugging your sysadmin to fix whatever happens. Its probably really hard to be any kind of FOSS developer right now.
Unfortunately not foolproof either. I have no infected packages that I know of because I happen to be on a new install, but I caught wind of the LAST AUR botnet infiltration and switched to flatpaks or source builds. Since then I drifted back to AUR for convenience. I thought I was being clever only using AUR packages when I could be “sure” the author of the original software package pushed to AUR, and this was easy since devs who build on Arch typically recommend AUR whether they maintain the package or not. Today I found out spoofing package ownership is apparently easy and so is spoofing git credentials.
I was on Endeavour and it was incredible, but I’m not That Power User and I feel like part of the problem. The worst part of all of this is its owing to an influx of users who want the same ease of use they used to enjoy, but in Windows SOP is installing whatever the fuck you want on Internet Explorer and bugging your sysadmin to fix whatever happens. Its probably really hard to be any kind of FOSS developer right now.