• progandy@feddit.de
      link
      fedilink
      arrow-up
      3
      ·
      8 months ago

      Those getting the most recent software versions, so nothing that should be running in a server.

    • Laser@feddit.de
      link
      fedilink
      arrow-up
      2
      ·
      8 months ago

      Fedora 41, Fedora Rawhide, Debian Sid are the currently known affected ones AFAIK.

    • flying_sheep
      link
      fedilink
      arrow-up
      1
      ·
      8 months ago

      I think it needs to be

      • rolling release (because it was caught so quickly that it hasn’t made its way into any cadence based distro yet)
      • using the upstream Makefile task to build a RPM or DEB (because the compromised build script directly checks for that and therefore doesn’t trigger for a destdir build like Gentoo’s or Arch’s)
      • using the upstream provided tarball as opposed to the one GitHub provides, or a git clone (because only that contains the compromised Makefile, running autotools yourself is safe)

      Points 1 and 2 mean that only rolling release RPM and DEB distros like Debian Sid and Fedora are candidates. I didn’t check if they use the Makefile and the compromised tarballs.