Hi,
There has been an attack in regards to the AUR.
https://archlinux.org/news/active-aur-malicious-packages-incident/
There has been a list of all the packages affected.
https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/me...
I don't know how you build the htdig package, but it was listed when I was checking for malicious packages. I just don't know if your package you provide would be affected by it, even though I would assume none of you use the AUR to build it.
Regards, Shauna
On 6/12/26 3:53 PM, Shauna Recto via tde-devels wrote:
Hi,
There has been an attack in regards to the AUR.
https://archlinux.org/news/active-aur-malicious-packages-incident/ https://archlinux.org/news/active-aur-malicious-packages-incident/
There has been a list of all the packages affected.
https://lists.archlinux.org/archives/list/aur- general@lists.archlinux.org/message/5FDTMKA54RMWNRHJFUAKXEBAFV5WPDUL/ <https://lists.archlinux.org/archives/list/aur- general@lists.archlinux.org/message/5FDTMKA54RMWNRHJFUAKXEBAFV5WPDUL/>
I don't know how you build the htdig package, but it was listed when I was checking for malicious packages. I just don't know if your package you provide would be affected by it, even though I would assume none of you use the AUR to build it.
Regards, Shauna
Shauna,
Unless you are using Arch (or one of the variants) and you are building the package from AUR, then that should not be a concern. There should not be any mainstream projects that use automated tools to pull packages from AUR and automatically incorporate them in a TDE package in a continual-integration type setup.
The AUR event is unfortunate and thanks to the dedicated mods, appears to largely controlled. The complete package list of reverted package commits should be https://md.archlinux.org/s/SxbqukK6IA (1579 packages and counting...)
The issues surround a poisoning of the build scripts (the PKGBUILD) involves updating those file to include post-install hooks to run poisoned npm installers. npm is an over-achiever to be sure.
There shouldn't be any TDE packages hosted or pulling dependencies directly from AUR. In the past the Arch TDE packages were hosted on AUR (a decade ago?), but that is no longer the case. A quick check shows no TDE (or Trinity Desktop) package remain on AUR. (there is a TelegramDesktop, but unrelated)
Whoever maintains the Arch TDE build scripts can confirm, but this should not impact TDE.
On Sat, Jun 13, 2026 at 1:09 AM David C Rankin via tde-devels < devels@trinitydesktop.org> wrote:
On 6/12/26 3:53 PM, Shauna Recto via tde-devels wrote:
Hi,
There has been an attack in regards to the AUR.
https://archlinux.org/news/active-aur-malicious-packages-incident/ https://archlinux.org/news/active-aur-malicious-packages-incident/
There has been a list of all the packages affected.
https://lists.archlinux.org/archives/list/aur- general@lists.archlinux.org/message/5FDTMKA54RMWNRHJFUAKXEBAFV5WPDUL/ https://lists.archlinux.org/archives/list/aur- general@lists.archlinux.org/message/5FDTMKA54RMWNRHJFUAKXEBAFV5WPDUL/
I don't know how you build the htdig package, but it was listed when I was checking for malicious packages. I just don't know if your package you provide would be affected by it, even though I would assume none of you use the AUR to build it.
Regards, Shauna
Shauna,
Unless you are using Arch (or one of the variants) and you are building the package from AUR, then that should not be a concern. There should not be any mainstream projects that use automated tools to pull packages from AUR and automatically incorporate them in a TDE package in a continual-integration type setup.
The AUR event is unfortunate and thanks to the dedicated mods, appears to largely controlled. The complete package list of reverted package commits should be https://md.archlinux.org/s/SxbqukK6IA (1579 packages and counting...)
The issues surround a poisoning of the build scripts (the PKGBUILD) involves updating those file to include post-install hooks to run poisoned npm installers. npm is an over-achiever to be sure.
There shouldn't be any TDE packages hosted or pulling dependencies directly from AUR. In the past the Arch TDE packages were hosted on AUR (a decade ago?), but that is no longer the case. A quick check shows no TDE (or Trinity Desktop) package remain on AUR. (there is a TelegramDesktop, but unrelated)
Whoever maintains the Arch TDE build scripts can confirm, but this should not impact TDE.
-- David C. Rankin, J.D.,P.E. ____________________________________________________ tde-devels mailing list -- devels@trinitydesktop.org To unsubscribe send an email to devels-leave@trinitydesktop.org Web mail archive available at https://mail.trinitydesktop.org/mailman3/hyperkitty/list/devels@trinitydeskt...
Hi David,
Apologies, I should have elaborated a little more.
Yes I am using Arch Linux, I don't use the AUR pkgbuilds specifically for htdig, I just remembered that it is provided, and I wasn't sure how some of the dependencies that you provide in your PPA were built for Arch. It was a bit ago that I looked at the PPA so I wasn't sure how to access it again. Arch being rolling release, I was just wondering if that dependency was built recently, but no it was built in 2022 which shocked me a bit. https://mirror.ppa.trinitydesktop.org/trinity/archlinux/x86_64/htdig-3.2.0b6...
I should have looked into it more. I was just concerned about it and I didn't know how some of the non-TDE packages were built.
Regards, Shauna
On 6/12/26 7:28 PM, Shauna Recto via tde-devels wrote:
Hi David,
Apologies, I should have elaborated a little more.
Yes I am using Arch Linux, I don't use the AUR pkgbuilds specifically for htdig, I just remembered that it is provided, and I wasn't sure how some of the dependencies that you provide in your PPA were built for Arch. It was a bit ago that I looked at the PPA so I wasn't sure how to access it again. Arch being rolling release, I was just wondering if that dependency was built recently, but no it was built in 2022 which shocked me a bit. https://mirror.ppa.trinitydesktop.org/trinity/archlinux/x86_64/ htdig-3.2.0b6-11.1-x86_64.pkg.tar.zst <https:// mirror.ppa.trinitydesktop.org/trinity/archlinux/x86_64/ htdig-3.2.0b6-11.1-x86_64.pkg.tar.zst>
I should have looked into it more. I was just concerned about it and I didn't know how some of the non-TDE packages were built.
No worries,
Been on the IRC and lists following this for the past couple of days. The poisoning didn't really surface until 5/24/26 and involved miscreants picking up orphaned packages and then pushing poisoned commits at a fairly industrial-scale.
AUR hasn't changed much in the 17 years I've used it -- but unfortunately the rest of the world has. I suspect we will see some new guardrails put in place to mitigate the issue.
The problem, and this isn't limited to AUR, but many open-source projects, TDE included, rely to a fair extent on trust. That the users that have commit ability won't intentionally do something malicious. Where AUR got in trouble was it was far to easy to become an anonymous member, pick up orphaned packages and start sending commits with no oversight.
That worked fine for 20 years. It's a shame all projects are having to take another look at the access they provide.
Were it up to my, I'd say completely verify each user. If a man (or woman) isn't willing to put their name behind their work, then the commit privileges should be limited accordingly.
But, I appreciate that doesn't work world-wide and there are legitimate reasons for those living in places where disclosing a name and location can also disclose how you reached the site to begin with an have repercussions.
While I can appreciate the concern, I also appreciate the gaping hole not knowing who is using your system poses. There is definitely a balance to be struck. I'm just glad I don't have to make the call on this one.
-
David C Rankin -
Shauna Recto