new | ask | show | jobs
Tharre 2 hours ago  [ - ]

> You do realize that the people relying on the service also get served malware, right? The service is already disrupted.

Huh? No they don't. I'm not sure what part of the attack your misunderstood, but most people are going to be completely unaffected by this. None of the infrastructure or anything like that got compromised. I updated my AUR packages 2 hours ago, and didn't get served any malware.

Again, there's probably some kind of malware on npmjs at any given time. You don't just shutdown the entire server because of that, that's madness.

hypfer 2 hours ago  [ - ]

As said, I don't think discussing this makes sense, as our perceptions of reality seem to be fundamentally incompatible.

But regardless, let's try a different perspective: PR/Public perception

The moment multiple well-known media outlets start publishing a story stating that "stuff is happening", the situation changes.

At that point, regardless of how you personally feel about this, the narrative is "people are affected".

This forces your hand. Which is not(!) to say that it would mean that you would have to accept what the media says. The media could be full of shit talking nonsense. *But* at that point, you need to either correct them, or do the correct action as per their narrative.

____

I don't think that PR/Public perception is the main relevant perspective here - in fact I'm just mentioning it, because all the much stronger much more technical arguments seem to be lost on you.

But there you go.

Your argument makes no sense, because "ackschually I'm unaffected" is just russian roulette survivorship bias, but even if it _would_ make sense, the system logic of the next outer layer cans that take.

____

Anyway. The fact that people (not just you, mind you) are so busy playing "well ackschually" while there is an active wormable attack going on is precisely why I said "institutional rot". Although, I think I need to correct that to "cultural rot".

Priorities are broken. The wrong metrics are being optimized here.

I would love to hear more about this from the actual Arch maintainers instead of random users with opinions, but.. not sure where that communication would be. I didn't find any. And I did go looking!

___

Edit 50m later:

https://archlinux.org/news/active-aur-malicious-packages-inc...

Thank you!