Update Error - Handshake Timeout / AUR Seems DOWN

is UP now. It’s reachable from my end.

And I managed to run updates on two machines, neither of which found any updates to the very few AUR packages I have installed.
I wonder if it’s over or just another short interlude?

Also reachable from my end now.

:: Looking for PKGBUILD upgrades...
:: Looking for AUR upgrades...
:: Looking for devel upgrades...
:: Resolving dependencies...
:: Calculating conflicts...
:: Calculating inner conflicts...

Aur (1)       Old Version  New Version    Make Only
...

Yeah that is a good point.

It’s not working for me. I get this error when I run yay:

request failed: Get “https://aur.archlinux.org/rpc?arg[]=etcher-bin&arg[]=gitkraken&arg[]=pipes.sh&arg[]=visual-studio-code-bin&type=info&v=5”: EOF

It is not just you…

It’s up and down. I was able to update about an hour ago. AUR is down again. This is a continuing DDoS attack.

z580×560 31.4 KB

sounds like that one. this seems personal.

just a guess

haven’t found that update window yet in a couple days. thanks for the official info. and others with the links

Might be a window right now. I just updated without issue.

Searching AUR for updates…
:: Searching databases for updates…
→ 1 error occurred:
* request failed: Get "https://aur.archlinux.or

not yet, but I know it will be back so I’m patient.

have not updated my mirrors/reflectors for 6 weeks so maybe that’s part of it (?)

Working theory why AUR is DDoS’ed aka my medium educated guess

1. Check if you can DDoS AUR
2. If you can, prepare malicious package / have a hacked maintainer account
3. Upload malicious package and let people download the package
4. DDoS again

Now even if someone will realize package is compromised, people will not be able to autoupdate compromised package, because it would require: a) reading news b) manual intervention

Profit.

But I hope maybe I am wrong.

this theory guarantees the bad package downloaded to someone’s computer wreaks the maxium amt of damage since it can’t be updated or corrected. that’s a sound theory only if the person who downloaded the malicious package does not know it’s a malicious package (they didn’t read anything).

but if said user did read about his/her bad package, and cannot update, can they not yay -Rns evilpackage? or is it too late?

By read, you mean read the source code? This happens only in theory

Yes, package can be removed, is someone will actively check Arch news

just updated without issues

me too finally.

Can confirm updates are working well here.