• @[email protected]
      link
      fedilink
      39 months ago

      Those getting the most recent software versions, so nothing that should be running in a server.

    • @[email protected]
      link
      fedilink
      19 months ago

      I think it needs to be

      • rolling release (because it was caught so quickly that it hasn’t made its way into any cadence based distro yet)
      • using the upstream Makefile task to build a RPM or DEB (because the compromised build script directly checks for that and therefore doesn’t trigger for a destdir build like Gentoo’s or Arch’s)
      • using the upstream provided tarball as opposed to the one GitHub provides, or a git clone (because only that contains the compromised Makefile, running autotools yourself is safe)

      Points 1 and 2 mean that only rolling release RPM and DEB distros like Debian Sid and Fedora are candidates. I didn’t check if they use the Makefile and the compromised tarballs.