The problem with these supplychain / wateringhole attacks, is the reputation hit is harder to deal with.
If anyone thinks they’ll stop using an AUR package and just install a container, flatpak, etc… they can still be vulnerable, but they’re not using AUR, NPM, etc…
I just hope there were enough forensics to make a sensible improvement in security policies & procedures, rather than just guessing what next to do, and then AUR will be stronger for it.
The problem with these supplychain / wateringhole attacks, is the reputation hit is harder to deal with.
If anyone thinks they’ll stop using an AUR package and just install a container, flatpak, etc… they can still be vulnerable, but they’re not using AUR, NPM, etc…
I just hope there were enough forensics to make a sensible improvement in security policies & procedures, rather than just guessing what next to do, and then AUR will be stronger for it.