undefined | Better HN

0 pointsakerl_8mo ago0 comments

This feels like a non-sequitur.

Yes, the AUR is user-provided content. Yes, system administrators are responsible for being aware of what they’re installing. You can find many comments from me on this page discussing that.

An attacker being detected using an official service hosted by Archlinux for user-managed packages to push malware is still noteworthy.

0 comments

homebrewer8mo ago

I guess we have very different takes on this; I wouldn't expect Slack or WhatsApp to publish security advisories if one of their users used them to spread malware among a tiny cohort of other users, which is about the right level of responsibility Arch places on itself (and it's very clear about this) w.r.t AUR.

akerl_OP8mo ago

I think you’re correct. I see a fundamental difference between services like slack and WhatsApp which provide messaging services and hosted platforms like the AUR where content is submitted and then republished on a site administered by the project.

j / k navigate · click thread line to collapse