It looks like upstream is currently in the process of establishing a fork with new branding of polymc. Regarding what happened, it appears that Lenny was not hacked. They were able to prove it using a gpg signed message with a pre-existing gpg key. However, they removed permissions from all other maintainers on Github as well as the community discord. I would still be careful with accepting packages from Lenny since Lenny's actions against the PolyMC community are most definitely malicious, regardless of whether they were hacked. It looks like Scrumpex is the main person leading the establishment of a new fork. They have been CC'd. I really appreciate how quickly I got a response from the AUR team. Please note, I am not a maintainer or developer from upstream. I am just one of their users. -- Numeral ------- Original Message ------- On Monday, October 17th, 2022 at 3:19 PM, Morten Linderud <foxboron@archlinux.org> wrote:
On Mon, Oct 17, 2022 at 07:38:01PM +0000, notify@aur.archlinux.org wrote:
thenumeralone [1] filed a deletion request for polymc-bin [2]:
Hi! There was a hostile takeover upstream by LennyLennington. It is not known if their account was hacked. Until upstream resolves this I would recommend removing LennyLennington as maintainer and replacing them with Scrumplex in order to prevent malware from being introduced. Deletion would also be fine.
I would recommend verifying my story by emailing Scrumplex.
I am submitting an equivalent request for polymc-git.
[1] https://aur.archlinux.org/account/thenumeralone/ [2] https://aur.archlinux.org/pkgbase/polymc-bin/
This got a bit messy. Can't force orphan any packages so I have accidentally deleted one. Scrumplex is back as co-maintainer while I consider the other options.
The Lenny guy has been banned until we know what is happening.
Feel free to say if anything else needs to be done.
-- Morten Linderud PGP: 9C02FF419FECBE16