On 5/27/26 10:45 AM, Martin Rys wrote:
I compared the contents of one of your archives vs what others are
getting, and aside from the different dir name, there's no difference.
The thing is, GitHub does not guarantee their source tarballs not to
change, so I'd probably chalk it up to GH weirdness:
https://github.blog/open-source/git/update-on-the-future-stability-of-source-code-archives-and-hashes/
You could make the PKGBUILD deterministic by using git instead of
relying on the .tar.gz generated by GitHub:
source=("zigwl-${_zigwlver}::git+https://github.com/ifreund/zig-wayland.git#tag=v${_zigwlver}";)
sha256sums=('9ff3bf408bee528889a9dd3059235cb5611c8e38e80e2af880187c00f387ac78')
That also has the benefit of guaranteeing that the file name will be the same.
Martin
Be extra careful verifying GitHub and npm packages and dependencies.
Both have been the victims of multiple hacks during the past couple of
weeks:
https://www.theregister.com/security/2026/05/22/megalodon-chums-the-waters-in-55k-github-repo-poisonings/5245342
(see earlier TeamPCP attacks [Shi-Hulud and progeny])
npm is the king frequent-flyer for supply chain compromise. This is
the link from last week's fun:
https://www.theregister.com/cyber-crime/2026/05/19/shai-hulud-keeps-burrowing-314-npm-packages-infected-after-another-account-compromise/5242601
see also: Claudia's response on the AUR plex-media-player compromise
earlier today.
Unfortunately, it appears these are just the opening salvos in the AI
race to the bottom as ever less sophisticated user are able to create
ever more sophisticated exploits.
--
David C. Rankin, J.D.,P.E.
