To be fair, the backdoor only gets enabled when built as an RPM or Deb package, which doesn’t apply to Arch Linux, and also requires openSSH to be linked to liblzma, which is also not the case on Arch. So from what we know so far, the Arch packages should not have had the vulnerability. The risk now is whether there are other vulnerabilities or backdoors that haven’t been discovered which is why Arch made the update building directly from the git source instead of the known modified source tarball.
To be fair, the backdoor only gets enabled when built as an RPM or Deb package, which doesn’t apply to Arch Linux, and also requires openSSH to be linked to liblzma, which is also not the case on Arch. So from what we know so far, the Arch packages should not have had the vulnerability. The risk now is whether there are other vulnerabilities or backdoors that haven’t been discovered which is why Arch made the update building directly from the git source instead of the known modified source tarball.
This is a Linux community, we are not here to be fair???