RE: https://infosec.exchange/@ifin/116735279416101129
I'm trying to understand the details of AUR processes for submitting PKGBUILDs. In other words, how exactly did this happen? arojas submitted hundreds of changes to PKGBUILD or related files. And they were just...accepted? What am I missing?
Edit: What I missed was this was pure impersonation. The maintainer is fine, but the process was vulnerable to spoofing.
@mttaggart Antonio Rojas is a member of Arch Linux and a year-long package maintainer of the distribution (e.g. for all of KDE).
Antonio often drops larger amounts of packages to the AUR and therefore is the last committer.
The bot infecting packages in the AUR impersonated/reused the last committer. It's trivial to do with git.
I know this is not directly obvious, but please correct previous statements about this (also made elsewhere). 🙏
Taggart 
David Runge
Joost Rekveld