On 6/12/26 7:28 PM, Shauna Recto via tde-devels wrote:
Hi David,
Apologies, I should have elaborated a little more.
Yes I am using Arch Linux, I don't use the AUR pkgbuilds specifically for htdig, I just remembered that it is provided, and I wasn't sure how some of the dependencies that you provide in your PPA were built for Arch. It was a bit ago that I looked at the PPA so I wasn't sure how to access it again. Arch being rolling release, I was just wondering if that dependency was built recently, but no it was built in 2022 which shocked me a bit. https://mirror.ppa.trinitydesktop.org/trinity/archlinux/x86_64/ htdig-3.2.0b6-11.1-x86_64.pkg.tar.zst <https:// mirror.ppa.trinitydesktop.org/trinity/archlinux/x86_64/ htdig-3.2.0b6-11.1-x86_64.pkg.tar.zst>
I should have looked into it more. I was just concerned about it and I didn't know how some of the non-TDE packages were built.
No worries,
Been on the IRC and lists following this for the past couple of days. The poisoning didn't really surface until 5/24/26 and involved miscreants picking up orphaned packages and then pushing poisoned commits at a fairly industrial-scale.
AUR hasn't changed much in the 17 years I've used it -- but unfortunately the rest of the world has. I suspect we will see some new guardrails put in place to mitigate the issue.
The problem, and this isn't limited to AUR, but many open-source projects, TDE included, rely to a fair extent on trust. That the users that have commit ability won't intentionally do something malicious. Where AUR got in trouble was it was far to easy to become an anonymous member, pick up orphaned packages and start sending commits with no oversight.
That worked fine for 20 years. It's a shame all projects are having to take another look at the access they provide.
Were it up to my, I'd say completely verify each user. If a man (or woman) isn't willing to put their name behind their work, then the commit privileges should be limited accordingly.
But, I appreciate that doesn't work world-wide and there are legitimate reasons for those living in places where disclosing a name and location can also disclose how you reached the site to begin with an have repercussions.
While I can appreciate the concern, I also appreciate the gaping hole not knowing who is using your system poses. There is definitely a balance to be struck. I'm just glad I don't have to make the call on this one.