We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.

We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following:

• Creating new accounts on the AUR
• Pushing package updates
• Adopting or creating new packages

We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.

Recently we held our leader elections and after a lively discussion period on the (internal) mailing lists and voting phase with two candidates Levente "anthraxx" Polyák was re-elected as Arch Linux Project Lead.

As per our election rules he is re-elected with the term lasting two years.

The role of of the project lead within Arch Linux is connected to a bunch of responsibilities regarding decision making (when no consensus can be reached), community leadership, Code of Conduct enforcement, handling financial matters with SPI and overall project management tasks.

Congratulations to Levente, thank you for stepping up …

The Varnish project has renamed itself to Vinyl Cache. We followed this rename with a new vinyl-cache package. This upgrade results in breaking changes and users are advised to study these changes and how it affects them before following the replacement. All references to "varnish" have been changed to "vinyl" in all binaries and directories.

At minimum, users will have to:

• rename /etc/varnish to /etc/vinyl-cache
• rename /var/lib/varnish to /var/lib/vinyl-cache
• fix up ownership of files inside /var/lib/varnish
• user varnish becomes vinyl
• group varnish becomes vinyl
• user varnishlog …

The kea package has moved all services to run as a dedicated kea user (instead of root) for improved security. This change requires permission updates to the runtime files created by the kea services.

Users upgrading from an existing kea installation should therefore run the following commands after the upgrade:

chown kea: /var/lib/kea/* /var/log/kea/* /run/lock/kea/logger_lockfile

systemctl try-restart kea-ctrl-agent.service kea-dhcp{4,6,-ddns}.service

Accounts that need to interact with kea services files (e.g. lease files under /var/lib/kea, log files under /var/log/kea or configuration files under /etc/kea) should be added to the kea group.

The old iptables-nft package name is replaced by iptables, and the legacy backend is available as iptables-legacy.

When switching packages (among iptables-nft, iptables, iptables-legacy), check for .pacsave files in /etc/iptables/ and restore your rules if needed:

• /etc/iptables/iptables.rules.pacsave
• /etc/iptables/ip6tables.rules.pacsave

Most setups should work unchanged, but users relying on uncommon xtables extensions or legacy-only behavior should test carefully and use iptables-legacy if required.