AUR hosts few-lines-long "PKGBUILD" script files uploaded by just anyone (who may not have written any substantial software ever), and that is an entirely different scenario than open source projects of significant size where it is realistic to assume more than one pair of eyes has looked at each commit.

There are certainly also "open source devs" that irresponsibly include libraries from wherever, but that is a completely different topic unrelated to AUR. And unlike for closed source, in both scenarios users are technically and legally allowed to review the foreign code, and encouraged to do so.

If "150 pieces of debris" are a "slow form of space warfare", then what are the >10,000 pieces of stuff that Starlink put into Orbit (which happen to already be used in active wars)? And how would such debris deny specifically "the west" access?

Wow, calling the secretive removal of existing, useful features from a product owned by a customer a "correction" is the most brainwashed corpo-nonsense I have read in a long while.

That does not change the situation that their firmware updates are now malware that removes existing features from existing systems.

This is not the first time AMD intentionally misleads customers on what their CPUs actually implement (although it is the first time I remember where a previously existing feature was stolen from existing customers). Remember how the AMD 8700G was documented to support (real, not just on-chip) ECC for its memory? Both AMD and their board partners advertised this feature when the CPU was new. Only for customers to find out after buying that it wasn't there. With AMD offering nothing in compensation, and claiming that they changed their documentation right before the first shipments were done (while board partners like Asus still advertised real ECC capability for the 8700G years after it was released.

Let's face it, AMD has for a long time not been the "underdog" who plays fair with customers to get a reputation. Now that they had some years of success, they give a damn about their reputation, and will continue to scam their customers as they please.

Of course those currently investing other people's money into AI infrastructure cannot say that part out loud just yet, but there may be no intention to make AI investments "profitable" in the classical sense. If you are convinced that AI will perform thinking better and cheaper than humans, and Robots will perform physical work better and cheaper than humans, then trying to collect money from "customers" becomes obsolete at some point. As soon as the army of robots can produce what their owners need, including more robots, there is no reason to pay back any original investors, or to try to become "profitable".

We have already seen how normal "consumers" have become irrelevant as customers, we have seen how "retail brokerage" customers have become irrelevant as "investors", and the next stage has already begun, where the world economy is shaped to address the needs of AI/robots, not the needs of puny humans.

"Indoctrinated" in what regard by which "cult"? Are you yet another drive-by commenter with no idea what AUR is, and more importantly, what it not is? Can you cite any source that claimed "many eyes" are reviewing build scripts uploaded to AUR?

If we want to talk about indoctrination, we could ask why the title of this article is "Arch Linux Malware Incident". That is as misleading as if somebody wrote an article about "Slashdot Malware Incident" just because some commenter posted base64-encoded viruses in 100 Slashdot comments.

Who said that files on AUR were reviewed by "many eyes"? AUR is specifically a repository for software only very few people want to install, so it is not unlikely that you are the only one to review an AUR build script (after the uploader).

The many "security issues" LLM based bots have recently found were programming bugs that nobody intended to hide - but which were non-obvious enough that they slipped through normal reviews. I would not expect contemporary "AI tools" to find malware that has been intentionally hidden in the code.

As an Arch user, I have looked into files on AUR a few times for a quick hint on what others did to compile a certain software for Arch. For that purpose, AUR is somewhat useful. If people like the risk of installing stuff from a random source on the Internet, they will find ways to do so, whether AUR existed or not. At least AUR does tell people they should rather review the few lines that the build scripts there consist of.

Arch opponent has obviously no clue about the differences of Arch and AUR packages and writes stupid comments. LOL & Q.E.D.

This "attack" does not require technical competence or "AI" for automation. Allowing volunteers to take ownership of existing "AUR" packages may have had good intentions, but it was also an invitation for the scum to abuse this mechanism to spread malware to less cautious AUR users. There is a reason why the official Arch packages are not as easily handed to the first one to offer maintenance.

I for one would like some coding bot to pick up maintenance of the it87 driver. I mean, adapting such existing driver to newer kernel releases should not require any creativity, it would be the kind of menial work that humans in general would prefer to leave to the bots.

... while the people interested in better graphics cannot afford to buy a newer GPU to do so, because the newer GPUs are busy improving the driver for their old GPUs. What an irony!

This should teach even the most gullible of politicians around the world that single-sourcing your brain substitute from a US service is really really stupid. People will need to host their own LLMs... or at least permanently load-balance between using LLMs from N different countries. And yes, I am assuming here that human brain atrophy due to habitual LLM use will make people entirely dependent on such technology.

In the terminal based "claude" code tool.