Arch Linux User Repository

I just found out about the upstream maintainer's email. What a rude individual, lmao.

It's funny how they think their opinion should matter when it comes to an open source project like this.

Removing that line does not constitute a fork, wtf.

Switched the package to the new repository. Also added a disclaimer when installing/upgrading the package.

@lectrode : done

progress of binary and code review of noisetorch can be found here:

https://github.com/noisetorch/NoiseTorch/discussions/275

I updated the package to 0.11.6 as there were no code changes between 0.11.5 0.11.6. So in any case it doesn't really matter. It was basically just a version bump to notify users about this. I don't have any convenient tools to tell people about problems with upstream.

Fair thought (although I'd argue that making users wonder why the package isn't yet updated to 0.11.6 and letting them inquire that would be more effective than just silently pushing through the update :P).

Also, if there is still a chance that the compromise is still going on, it is probably a good idea to lock the revision to a Git SHA1 instead of a tag. Even though I hope that makepkg would choke on that, tags can change (not to mention new users, that don't have an existing checkout and therefore can't detect tag changes).

I just deleted the vendor directory and ran go mod vendor and got the exact same tree again (no changes in Git). So seems like they are fine. At least as long as the go.mod is fine

I can confirm the same results, but I haven't yet checked go.mod either.

Also, the files in the c/ directory look pretty vendored (although still reasonably auditable compared to the Go vendor directory), don't they?

EDIT: Also, confirming that the vendored dependencies match what is upstream should be relatively easy, right?

I just deleted the vendor directory and ran go mod vendor and got the exact same tree again (no changes in Git). So seems like they are fine. At least as long as the go.mod is fine

I updated the package to 0.11.6 as there were no code changes between 0.11.5 0.11.6. So in any case it doesn't really matter. It was basically just a version bump to notify users about this. I don't have any convenient tools to tell people about problems with upstream.

In any case, this package should not have been updated to 0.11.6 in the first place. Whether we assume older revisions to be similarly breached is a different (albeit important) topic. (EDIT: Also, confirming that the vendored dependencies match what is upstream should be relatively easy, right?)

@timschumi 0.11.5 is not known-good. The package history as a whole is suspect according to the developer. Their comments here indicate they do not know if any part of the project is uncompromised: https://github.com/lawl/NoiseTorch/issues/253#issuecomment-1130597691

Why is this updated to 0.11.6? 0.11.6 is the "this may have been compromised, do not use this." release. Stay at the known-good revision, 0.11.5 (EDIT: and preferably lock it to the last known-good commit, 8a918f9076ea057c505fd92bc85b080e125b15d5).