What an annoyingly uninformative title. Better title: a lot more compromised AUR packages have been found since our last update.
“A lot worse” is intentionally vague to get people to click.
TLDR: Open package repositories without some approval and oversight system, like AUR, will have even more problems in the future due to advanced coding AI and malicious foreign hackers.
Edit: Please normalize TLDR’s on bot posts with just a link.
I remember the good ole days when nobody cared enough about Linux to spread malware to it. Sigh. All these techbros that need to j their d to their power trips, dystopian surveillance, and shitty AI companies have probably started this. I even noticed a Linux hate sub on Lemmy. Imagine there being enough people forced to use Linux to create a hate community where they favor Microslop. Such strange times we live in.
“Foreign hackers”
Foreign to who?
The article never said “foreign”, you made that up.
I guess if youre not from the US theyre “foreign”
OP is not a bot
Then they should’ve included a short TLDR even harder
No, normalize forcing users to click the link and read the full text.
AUR is still working as intended. It’s basically a public wiki of shell scripts, it was never intended to be secure in the first place. It has always been the user’s responsibility to review everything or avoid using it.
At least some level of human review is going to be needed.
So… completely negating the point of a User Repository??? Introduce some kind of authoritative oversight, and it’s essentially just another regular repository, erasing all the benefits of the AUR. The whole point of the distro slapping a huge disclaimer of “DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.” at the top of the homepage is because these kind of compromises are the trade-off one makes
Now’s our chance, it’s time for a hostile takeover from my fellow "i use nix btw"s!
I am actually enjoying most of it, yeah.
Me, a Debian user, watching that shitshow 😎
Debian users should receive their news 6-12 months after everyone else, change my mind
/s
Some people likes tested and stable software. It’s weird.
Out of date and stable software you mean.
Honestly, not even stable. Just arbitrarily frozen. Oftentimes with later releases having bugfixes that the user won’t see for another few years.
That’s optimistically quick
Sincerely,
A Debian user
Should? Don’t you mean already do?
Me, a NixOS user, watching folks fighting over a bunch of legacy distros 😎😎😎
Whoa, this is blowing up. Chill, guys. I really think that sucks. If anything, with Arch being bleeding edge and all of that, at least you’re showing early the tough wake up the other distros will have to do in relation to malware after Linux’ increasing popularity. Time to brush those SELinux and apparmor bits, even.
But, now, we Debian users are okay, (btw, 😎).
Nothing says “socialist vibes” like gloating over other Linux users
Huh, you really feel schadenfreude over another reputable project being hit by/having to deal with malware? And all the people who might be affected by it?
That is not something that would ever cross my mind.
I mean, but this is arch.
Upside to Debian! Never have to worry about shit like this. Downside to Debian, you have to use Debian.
More like: Upside to Debian, you never have to worry about the latest malware and bugs! Downside to Debian, you have to use yesterday’s everything…
I use Ubuntu. Have slapped on a really pretty material theme. A couple of blur extensions. A cute furry wallpaper. Never felt the need to switch to anything else.
Try installing Firefox through
apt.
I think I’d be satisfied with just not allowing people to take over orphaned packages. That seems like a glaring threat vector and closing it would not harm the AUR in any way.
And yea, arch (and its derivatives) probably should not shop with AUR helpers pre installed.
arch doesn’t ship an aur helper pre installed
The command
pacman -Qmwill display every package from the AUR on your system. You can then search the list of compromised packages.Here are some scripts that can help too
(Edit: apparently i need to say to read and understand what these scripts are doing before running them. If you don’t understand what you’re running then don’t run them) https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14
Is it best to uninstall all the supporting files too. Semes like there is an option to do that.
To be clear, -Qm displays installed packages not currently in the repositories. This will include AUR packages, but I avoid the AUR (except for davmail years ago) every once in a while I’ll run it just to check and sometimes it finds packages.
When you install things from the main repos the dependencies get installed too, and if those dependencies are no longer needed they’ll be removed from the repositories. (I also have a bad habit of forgetting --asdeps when installing optional dependencies.) Sometimes they’ll conflict with a new dependency and pacman will ask to remove and replace them, but other times the functionality has become a part of an existing package, so with no conflict to prompt removal they’ll just sit unused on your install. If you haven’t tried -Qm in a long while you’ll probably find a few harmless currently-unused packages that were installed through the normal repos.
-Qm will also find manually installed packages that aren’t in the AUR if you ever do that.
I had more aur packages than I thought but none in the list. Is this just known ones and there could be more?
Of course. A compromised package can’t be on the list if it’s unknown. Hopefully not, but there’s still a possibility
Where at “I use Arch btw” now?
I use arch btw, it’s only effecting the arch user repository, which lives separately from the maintained repositories, it’s not even possible to download stuff from there with pacman. Really it’s just a community space, I also have packages there. You can download pre-packaged apps, so if you install them, you will be able to remove them with pacman. I think it’s a great concept.
it’s like a forum where some jerk writes “use ‘sudo rm -rf /’ to speed up the computer”. Except you don’t have to read it to execute their plan.
Flathub is also concerning btw. But at least those apps are containers (with too much permissions)
AUR has never been a good idea. I don’t use it and this news proved me right.
Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.
Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that’s why I stick to my official distro packages (and sometimes also some flatpak but from official sources)
It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.
I never said that GitHub was better. I just don’t feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.
Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don’t understand the risk or let’s say responsabilities it involves while installing packages from that source.
I agree about the risks in terms of the way some sources present the AUR as just extra packages. But I don’t think you can object to the AUR more than any other place on the internet where anyone can upload software; unfortunately, the onus is going to be on the user to verify what they install. The AUR is moderated by volunteers and it wouldn’t be fair to expect them to vet all of the high volume of commits to the AUR. Possibly they could vet new maintainers or new packages or newly adopted packages, but nothing would stop someone from initially uploading a genuine package and then replacing it with something malicious. Or they could require identity verification to be an AUR maintainer but then far fewer genuine packages would be on there because people don’t want to give their real identity to contribute (I maintain some AUR packages, and would stop if required to verify my IRL identity).
I can totally understand if the AUR is not for you; it’s more time-consuming as you have to read PKGBUILDs (I always do). But that doesn’t make it bad that it exists at all. I think there should be more warnings about it for new users, and possibly some more moderation, though like I said above there’s no perfect moderation solution that would simultaneously forgo users’ responsibility to check and keep the AUR as large as it is today. Ultimately the option should still exist for users who want it. If it didn’t exist, I’d have to hand-package every program that’s not in the official repos, and that’s even more time-consuming than pulling and reading through a PKGBUILD that someone else already wrote and shared.
But why? Arch isn’t a server distro and their users usually know how to keep their secrets save. A FUD campaign?
Sometimes it’s as simple as “because they can”.
They can do this so they did. Its likely no deeper then that.
Is the Chaotic-AUR a viable alternative? As I understand, there is some level of review.
