I use aur, extensively, wasn’t impacted by the supply chain attack cause I read the diffs.

No, an aur maintainer is not the same a distro maintainer.

But I do agree it would be good to atleast stop and evaluate when the maintainer changes or a package looses the maintainer at a minimum.

We arnt talking about a distro maintainer, but an aur package maintainer, which can be anyone.

I’m not sure if loosing the maintainer is to only thing we should be going off of here, but I like the name.

A simple install kept it orphaned. Instead I needed to run sudo pacman -D --asexplicit vlc

I don’t trust that everything that outputs from pacman -Qdtq should be deleted. Like I want to keep vlc.

I’m not entirely sure I agree, I think the issue is with default settings.

Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that’s pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.

Emacs

Linux has always been the bigger target. Even microslop uses linux for its severs.

Good question, I guess I might be using the wrong word when i say “orphan” because I see the arch wiki uses that term differently

Orphans are packages that were installed as a dependency and are no longer required by any package.

https://wiki.archlinux.org/title/Pacman/Tips_and_tricks

You can remove these manually or if using an aur helper like yay there are flags/settings you can use to delete them after the desired package was installed.

However what I was talking about aur packages that are unmaintained or do not have a maintainer anymore.

I’m researching more at the moment.

The packages could be infected at any point.

I guess the same could be said for literally any open source or freely distributed project.

The difference is that this was a supply chain attack and, to my knowledge, required the package to be listed as orphaned unmaintained first so that the PKGBUILD could be modified to install malicious NPM packages.

The community caught it quickly because it is possible to read both the PKGBUILD and the output of the update and, I think, it is fully resolved as of now.

Basically, if one were to delete or replace orphaned packages then they wouldn’t have been infected.

It is also possible to add a CVE scanner for AUR packages if reading the PKGBUILD is too much, I’m looking into how to do that now.

All this is to say that you should check if you had an infected package but I personally don’t think using the aur is more risky than using a flatpak.

I avoid orphaned unmaintained packages and I wait a few days before I type yay

This seems like a bullshit article using old data. But let’s take it at face value for the sake of argument.

Perhaps we should prioritize water given to humans (which they require to live).

Data centers have contaminated local water supplies, and often have a priority for access to free water.

The question isn’t exactly the amount of water it takes to power “ai”. The real question is if we are actually aware of the cost for something which is not actually required to solve the problems of the world.

Pikachu used war crime!

Niantic Spatial – a spin-off company from Niantic – announced its partnership with Vantor, a company that specialises in spatial detection software for drones, including those used by some militaries, in December.

…

Vantor announced in February a deal with the US Army of up to US$217m for training software.

If we don’t read and understand EULAs, Terms of Service, and Privacy Policies, we might help the goverment kill people.

it’s somehow legal to make a 20 page contract for a digital service or game that states it can be updated at anytime somewhere in it and because you are using it you agree to the terms and opt-in to any updated terms.

There is no government watchdog to protect consumers from this and if there were it only takes one rogue unconstitutional action for it to be dismantled and probably never get challenged in the legal system. The closest we have are advocacy groups like the EFF and they depend on people reading, using critical thinking, and giving a fuck.

When the devs collaborate with the government and military or spread propaganda, games are political, all aspect of life is. I think it always was. playing a game can now mean children get bombed. I think the sooner we come to these realizations the better.

Data can be retained and used retroactively in anyway the corporations that owns the data seem fit. That apparently means also selling that data to military contractors or using it to train models used for the military.

Did anyone guess that a pokemon game could be used to kill? I wonder how much blood money nintendo/pokemon company made off this?

This is not enshittification, but weaponization, and we all need to pay attention because this will not be the last time it happens.

(Starts shanking gold spray can)

We are in another middle east quagmire, harming civilians, and committing war crimes under the orders of a Republican child rapist felon – maybe by chance

How about arresting pedophiles starting with those connected to Epstein?

Don’t forget the child pornography generator

Realistically, they emailed out the Schutzstaffel to everyone but those in germany.

What is a Nazi stuff if not the insignia for the SS?