You are not logged in.
Pot plant was and is busy, but was aware of the AUR hack issue.
Pot plant notice that all packages that were compromised were the orphans ones.
Pot plant happy, plants doesn't use orphan packages and always read PKGBUILD, or diffs of it. If plants saw something strange in the diff equals to pot plant checking full PKGBUILD.
Pot plant talks like Yoda because is tired, really tired :C , but wants to check if the computer is not with something wrong on it.
Pot plant read all of this post https://bbs.archlinux.org/viewtopic.php?id=313892 . Took a while, wanna post on it but was tired and busy and was unable to make questions, but was aware of the issue in the background.
Pot plant found this: https://md.archlinux.org/s/SxbqukK6IA Also Seth sent it in the previous thread linked. [ Is this the updated version of the packages compromised ?]
Pot plant checked if by some reason his browser made by the creator of java script was on the list. it doesn't. But found some android ones:
android-backup-extractor
android-docs
android-google-play-apk-expansion
android-google-play-licensing
androidscreencast-bin
android-signapk
android-signapk-gui
android-support-repositoryPot plant was force to program in android, have some android tools, but none of those are on the compromised list:
Pot plant android packages:
android-emulator 36.5.11-1
android-sdk-cmdline-tools-latest 20.0-1
android-sdk-platform-tools 37.0.0-1
Those pacakges are in the android arch wiki btw !Pot plant doesn't remember if those packages used some dependencies of the ones that are compromised during the installation process. Doesn't seems to be, but he hasn't checked the PKGBUILDS of his pacakges now, he is so tired and busy that just stopped to update packages since the incident, but his intuition said to him that those packages are not in the ones that the kingdom of pot plants uses to develop android applications.
Pot plant ask help for it, just to be sure that his AUR packages are not linked in any sense with the ones compromised.
Pot plant just updated Java script browser when the incident happened.
Pot plant is tired and now is going to take a nap. Is not going to talk liike Yoda after the nap by the way.
Thanks for the help in advance ^^
Last edited by Succulent of your garden (2026-06-21 18:00:58)
str( @soyg ) == str( @potplant ) btw!
Also now with avatar logo included!
Online
Pot plant ask help for it, just to be sure that his AUR packages are not linked in any sense with the ones compromised.
You want someone to review recursively all the none official repository dependencies of the listed versions of those three packages? As has already been pointed out in the thread you linked the malicious commits have been reverted and not every AUR commit includes a pkgver update. So it is difficult to know what PKGBUILDS you may have used just by looking at what is in AUR now. You are asking for potentially a very large amount of human review especially if you have sued a range of versions of those three packages.
Offline
Hi loqs
I just made the installation of those like two months ago basically, as the arch wiki said are necessary to do some android development stuff [Mostly the emulation in my case] https://wiki.archlinux.org/title/Androi … evelopment
I notice that the packages usually doesn't get updated frequently, as you can see this https://aur.archlinux.org/packages/andr … form-tools and this https://aur.archlinux.org/packages/andr … ols-latest had been updated before the attack [I'm checking this now also I'm really tired guys, I need like a full weekend and plus some days to recover well, which I'm going to have in a week and a half]. It just this one https://aur.archlinux.org/packages/android-emulator that has been updated recently and currently not having updated it.
So from a certain point of view I just can say: I'm okey and fine because my Android AUR packages has not been updated before the attack
BUT
You want someone to review recursively all the none official repository dependencies of the listed versions of those three packages?
Well yesn't to be honest. I think I understood what you said to me, like in the end I should be like checking to each dependency his version in the day of installation of the android packages, and checked if it was malicious or not. But as I had notice before, every dependency that the package needed it get's installed by the AUR just in the case the dependency was not installed by pacman in the official repos before right ? Am I wrong to say if I use pacman -Qem to check all my packages installed outside from the main repos of Arch Linux, and if I don't see any dependency of my AUR packages listed on it. Then it means that I use the dependencies of the official repos to build the software ?
Sorry if I had made english errors, I'm really tired writtin this. Nap didn't helped too much.
str( @soyg ) == str( @potplant ) btw!
Also now with avatar logo included!
Online
So from a certain point of view I just can say: I'm okey and fine because my Android AUR packages has not been updated before the attack
Yes. However the AUR maintainers deleted the harmful commits from some of the affected packaged so you can not rely on the git history shown on AUR.
loqs wrote:You want someone to review recursively all the none official repository dependencies of the listed versions of those three packages?
Well yesn't to be honest. I think I understood what you said to me, like in the end I should be like checking to each dependency his version in the day of installation of the android packages, and checked if it was malicious or not.
Yes that is what I meant.
But as I had notice before, every dependency that the package needed it get's installed by the AUR just in the case the dependency was not installed by pacman in the official repos before right ?
Yes. The issue is if you used an AUR helper that installed those missing dependencies for you you without you possibly even being aware of it.
Am I wrong to say if I use pacman -Qem to check all my packages installed outside from the main repos of Arch Linux, and if I don't see any dependency of my AUR packages listed on it. Then it means that I use the dependencies of the official repos to build the software ?
Yes and no. `pacman -Qem` only shows packages currently installed that are marked as explicitly installed and come from a repository so it does not cover for example makedepends that might have been installed to build a package then removed after the build or packages installed with --asdeps.
Last edited by loqs (2026-06-21 22:34:46)
Offline