No it shouldn't. You don't break everyone's workflow just because some people refuse to take basic security advise seriously.

> New API should have infrastructure for informing users and making sure they've read the message before proceeding.

How would that even work? AUR packages are just git repos, everything that AUR helpers are doing or not doing is not under the control of the arch maintainers.

▲

harvie 2 hours ago | parent [-]

> How would that even work?

Are you seriously asking how would sharing short text notes over internet work?

If you need to be 100% git-centric, you can have git repo for messages. Client will then remember last commit displayed to user and refuse to continue unless latest message was displayed.

BTW some AUR clients displayed ArchLinux RSS feed before... Too sad the issue is not even mentioned in the RSS feed...

▲

kpcyrd 2 hours ago | parent | next [-]

There's no shortage in ideas of how to make the AUR easier to moderate. A "quarantine button", an invite system, a request system for adoption similiar to how orphan requests work, code review attestations similiar to cargo-crev, pacing controls similiar to those in discourse.

There is a shortage however of people skilled enough to implement them (with available time to do so).

What we also don't have a shortage of is angry people in comment sections.

▲

hypfer 42 minutes ago | parent [-]

People have all right to be angry if basic responsible adult things like "quarantine the server spreading large amounts of malware" do not happen within the reasonable timespan that passed.

Not even a news. A hint. Nothing. Radio silence.

___

There is a house. It is currently on fire (since over 24h). So far, people have talked about how, conceptually, house fires are bad.

You can still enter the house just fine.

People saying "hey what about locking the door to not trap more people in it" are being shunned for the crime of breaking someones workflow.

The owner of said house is nowhere to be seen.

Passerbys stating "oh my god that house is on fire! get water!" are either ignored or reminded that there is no problem and they should move along.

___

Idk man. I don't think any of this is real.

And I don't even use arch, lol. And after this thing exposed the institutional rot, neither should you or really anyone.

Unless you like ending up locked inside a house fire. I guess they provide warmth in the cold harsh reality of the 2026 internet.

▲

kpcyrd 7 minutes ago | parent [-]

The server actually hosting the rootkit executable is npmjs.com, run by a for-profit company, and they still take about 24h to act on our reports, while reported AUR packages have been processed in about 1-2h by people that work unrelated dayjobs on top of this, to self-subsidize their open source work.

Sorry you're displeased with us not writing blogposts faster on top of all this. The situation is already exhausting enough without people like you.

	▲	hypfer a minute ago \| parent [-]
		Look, man, I understand all that, but pulling the plug is something that takes at most 90s. Let's say 300s to add the "Warning: There is an attack. We're working on it. Systems are down for now" box After that, you have all the time in the world to prioritize dayjobs etc. It's not about dropping everything and fixing the root cause. It's just about taking stuff offline so that the immediate danger is mitigated. That is not too much to ask. It's not "people like me" having weird opinions there. Shut it down. Then fix whenever there is time to do so.

▲

Tharre 2 hours ago | parent | prev [-]

You seem confused about how the AUR works. There is no "client" like you're talking about that can show the user anything.

There are AUR helpers, but these are completely unaffiliated with arch and the people running the AUR. The canonical, recommended way of installing arch packages is cloning a git repo, reading through the sources and then building it with makepkg. There is no client there that could show the user anything.

▲

harvie an hour ago | parent [-]

how comes gitlab shows custom messages to my plain old git client then?

for example when you rename gitlab repository, or push to new branch, gitlab injects custom text that you can see. Eg. with new URL or where you can create merge request on web, etc...

	▲	Tharre an hour ago \| parent [-]
		I assume you're talking about the "remote: " messages? I've only ever seen those on push operations, not sure if they're even available for clone. Maybe they'd be an option, but then the whole "making sure they've read the message before proceeding" part goes out the window.