this post was submitted on 29 Mar 2024
1 points (100.0% liked)
Arch Linux
7750 readers
1 users here now
The beloved lightweight distro
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
To be fair, the backdoor only gets enabled when built as an RPM or Deb package, which doesn't apply to Arch Linux, and also requires openSSH to be linked to liblzma, which is also not the case on Arch. So from what we know so far, the Arch packages should not have had the vulnerability. The risk now is whether there are other vulnerabilities or backdoors that haven't been discovered which is why Arch made the update building directly from the git source instead of the known modified source tarball.
This is a Linux community, we are not here to be fair???