Around two years ago, we've merged the [community] repository into [extra] as part of the git migration.
In order to not break user setups,
we kept these repositories around in an unused and empty state.
We're going to clean up these old repositories on 2025-03-01.
On systems where /etc/pacman.conf still references the old
[community] repository, pacman -Sy will return an error on trying to
sync repository metadata.
The following deprecated repositories will be removed: [community],
[community-testing], [testing], [testing-debug], [staging],
[staging-debug].
Please make sure to remove all use of the aforementioned repositories from your /etc/pacman.conf (for which a .pacnew was shipped with pacman>=6.0.2-7)!
We plan to move glibc and its friends to stable later today, Feb 3. After installing the update, the Discord client will show a red warning that the installation is corrupt.
This issue has been fixed in the Discord canary build. If you rely on audio connectivity, please use the canary build, login via browser or the flatpak version until the fix hits the stable Discord release.
There have been no reports that (written) chat connectivity is affected.
UPDATE: The issue has been fixed in Discord 0.0.84-1.
We'd like to raise awareness about the rsync security release version 3.4.0-1 as described in our advisory ASA-202501-1.
An attacker only requires anonymous read access to a vulnerable rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.
Additionally, attackers can take control of an affected server and read/write arbitrary files of any connected client.
Sensitive data can be extracted, such as OpenPGP and SSH keys, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt.
We highly advise anyone who runs an rsync daemon or client prior to version 3.4.0-1 to upgrade and reboot their systems immediately.
As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the hosted package files themselves are cryptographically signed.
All infrastructure servers and mirrors maintained by Arch Linux have already been updated.
Follow the procedure described in FS32#365 .
