Comment by bilkow

1 day ago

Have you checked the install date? I'm not sure which are the compromised version numbers, but if they were installed before June 10 you're probably safe. (I think libgdata 0.18.1-5 used to be on the main repos in February, and has recently been downgraded to AUR, so you may be fine).

Only packages from AUR have been compromised, meaning a normal update `pacman -Syu` won't install them, they'll only be installed by `makepkg` or AUR helpers (such as `paru`, which asks you to review the PKGBUILD diff).

Also, if you had installed a compromised version, uninstalling the packages is not enough, you'd probably need to reinstall your system and rotate all credentials. More info here and on the linked blog: https://discourse.ifin.network/t/400-aur-packages-compromise...

1 comment

bilkow

Reply
galleywest200  7 hours ago

These were installed before June 10th I am almost certain. I will read that link just to be safe!

Looking at my pacman cache both of these versions existed on my system before June of this year so I think I am okay.