Arch Linux

1. Active AUR malicious packages incident

   We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.

   We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following:

   • Creating new accounts on the AUR
   • Pushing package updates
   • Adopting or creating new packages

   We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.

2. Arch Linux 2026 Leader Election Results

   Recently we held our leader elections and after a lively discussion period on the (internal) mailing lists and voting phase with two candidates Levente "anthraxx" Polyák was re-elected as Arch Linux Project Lead.

   As per our election rules he is re-elected with the term lasting two years.

   The role of of the project lead within Arch Linux is connected to a bunch of responsibilities regarding decision making (when no consensus can be reached), community leadership, Code of Conduct enforcement, handling financial matters with SPI and overall project management tasks.

   Congratulations to Levente, thank you for stepping up to serve this community and all the best wishes for another successful term! 🥳

3. Breaking changes for all users of `varnish`, which is renamed to `vinyl-cache`

   The Varnish project has renamed itself to Vinyl Cache. We followed this rename with a new vinyl-cache package. This upgrade results in breaking changes and users are advised to study these changes and how it affects them before following the replacement. All references to "varnish" have been changed to "vinyl" in all binaries and directories.

   At minimum, users will have to:

   • rename /etc/varnish to /etc/vinyl-cache
   • rename /var/lib/varnish to /var/lib/vinyl-cache
   • fix up ownership of files inside /var/lib/varnish
   • user varnish becomes vinyl
   • group varnish becomes vinyl
   • user varnishlog becomes vinyllog
   • user vcache remains the same
   • disable the old varnish.service and varnishncsa.service systemd units
   • enable the new vinyl-cache.service and vinylncsa.service systemd units

   Meanwhile, the varnish package has been dropped from [extra]. We're not currently planning to maintain a new varnish package as it's a different upstream project.

4. kea >= 1:3.0.3-6 update requires manual intervention

   The kea package has moved all services to run as a dedicated kea user (instead of root) for improved security. This change requires permission updates to the runtime files created by the kea services.

   Users upgrading from an existing kea installation should therefore run the following commands after the upgrade:

   chown kea: /var/lib/kea/* /var/log/kea/* /run/lock/kea/logger_lockfile

   systemctl try-restart kea-ctrl-agent.service kea-dhcp{4,6,-ddns}.service

   Accounts that need to interact with kea services files (e.g. lease files under /var/lib/kea, log files under /var/log/kea or configuration files under /etc/kea) should be added to the kea group.

5. iptables now defaults to the nft backend

   The old iptables-nft package name is replaced by iptables, and the legacy backend is available as iptables-legacy.

   When switching packages (among iptables-nft, iptables, iptables-legacy), check for .pacsave files in /etc/iptables/ and restore your rules if needed:

   • /etc/iptables/iptables.rules.pacsave
   • /etc/iptables/ip6tables.rules.pacsave

   Most setups should work unchanged, but users relying on uncommon xtables extensions or legacy-only behavior should test carefully and use iptables-legacy if required.