• flying_sheep
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    I think it needs to be

    • rolling release (because it was caught so quickly that it hasn’t made its way into any cadence based distro yet)
    • using the upstream Makefile task to build a RPM or DEB (because the compromised build script directly checks for that and therefore doesn’t trigger for a destdir build like Gentoo’s or Arch’s)
    • using the upstream provided tarball as opposed to the one GitHub provides, or a git clone (because only that contains the compromised Makefile, running autotools yourself is safe)

    Points 1 and 2 mean that only rolling release RPM and DEB distros like Debian Sid and Fedora are candidates. I didn’t check if they use the Makefile and the compromised tarballs.