The Arch Linux team has once again been forced to respond to a distributed denial-of-service attack targeting its AUR repository infrastructure. As a result, DDoS protection has been enabled for aur.archlinux.org to help mitigate the ongoing disruption.
While this measure helps keep the AUR website accessible, it has introduced a significant side effect: pushing to the AUR is currently not possible.
In other words, the protection system doesn’t yet handle incoming SSH connections on port 22, the method AUR package maintainers use to upload or update PKGBUILDs in their repositories. As a result, users cannot publish new packages, update existing ones, or fix build issues until full SSH functionality is restored.
Users, however, can still browse, download, and install existing AUR packages through the web interface or helpers such as yay and paru, since HTTP access remains unaffected.
The Arch Linux infrastructure team is working to resolve the issue while maintaining DDoS mitigation in place. Until then, contributors are advised to wait before attempting further AUR pushes.
Finally, I want to add that, despite the repeated attacks on the AUR in recent months, the Arch team has chosen not to publicly share any information about the sources or other details of these incidents.
While I’m sure they have good reasons for keeping things under wraps, it would be helpful if they provided a bit more transparency at some point, because the situation is clearly causing growing concern within the Arch community.
