this post was submitted on 29 Mar 2024
367 points (99.7% liked)

Arch Linux

7761 readers
25 users here now

The beloved lightweight distro

founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] SuperIce@lemmy.world 11 points 7 months ago (1 children)

To be fair, the backdoor only gets enabled when built as an RPM or Deb package, which doesn't apply to Arch Linux, and also requires openSSH to be linked to liblzma, which is also not the case on Arch. So from what we know so far, the Arch packages should not have had the vulnerability. The risk now is whether there are other vulnerabilities or backdoors that haven't been discovered which is why Arch made the update building directly from the git source instead of the known modified source tarball.