• placebo@lemmy.zip
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      20 days ago

      Tbf most major attacks we saw recently are cross-platform thanks to npm. AUR has always been a security risk.

    • Alaknár@sopuli.xyz
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      edit-2
      19 days ago

      Wasn’t that long ago when I was downvoted to oblivion for saying that. Glad to see the community is maturing.

      • CubitOom@infosec.pub
        link
        fedilink
        English
        arrow-up
        7
        ·
        edit-2
        20 days ago

        Good question, I guess I might be using the wrong word when i say “orphan” because I see the arch wiki uses that term differently

        Orphans are packages that were installed as a dependency and are no longer required by any package.

        https://wiki.archlinux.org/title/Pacman/Tips_and_tricks

        You can remove these manually or if using an aur helper like yay there are flags/settings you can use to delete them after the desired package was installed.

        However what I was talking about aur packages that are unmaintained or do not have a maintainer anymore.

        I’m researching more at the moment.

        • Eager Eagle@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          20 days ago

          shit, I had 150 orphaned packages

          pacman -Qdtq | pacman -Rns -

          I made an alias for this, but IMO this cleanup should be automatic. The user didn’t install it themselves after all.

          • CubitOom@infosec.pub
            link
            fedilink
            English
            arrow-up
            2
            ·
            20 days ago

            I don’t trust that everything that outputs from pacman -Qdtq should be deleted. Like I want to keep vlc.

            • Eager Eagle@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              20 days ago

              I think if you do pacman -S vlc it won’t be orphan anymore though. I removed everything, if I miss something I’ll install it again.

              • CubitOom@infosec.pub
                link
                fedilink
                English
                arrow-up
                7
                ·
                20 days ago

                A simple install kept it orphaned. Instead I needed to run sudo pacman -D --asexplicit vlc

    • Albbi@piefed.ca
      link
      fedilink
      English
      arrow-up
      3
      ·
      20 days ago

      They also wait until they get off the rollercoaster and back on solid ground before yelling yay!

    • Siegfried@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      19 days ago

      Did clamav work with AUR affected packages? Sorry if the question is idiotic, cause im ignorant when it comes to security

    • Crozekiel@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      19 days ago

      I am really curious about this. If someone had ClamAV and updated any of these packages from the AUR during the attack, would ClamAV have “solved” that problem? I would love to know the effectiveness of that.

  • ornery_chemist@mander.xyz
    link
    fedilink
    arrow-up
    12
    ·
    20 days ago

    I was on arch as a vestige from my school days, having never quite found the time to switch to something more stable. When I saw the news over the weekend, I checked and found 1 would-be-infected package on my machine that was thankfully months out of date. I’m well past the point of wanting to examine PKGBUILDs every time (hence the out of date package). But, instead of just removing AUR packages and sticking to arch repos, I decided to sweep up the technical debt by wiping and installing Fedora. I’m liking it so far, minus the absolute pain in the ass that is Nvidia on Linux. Fuck academics and their insistence on writing everything targeting CUDA; otherwise, I’d have saved a good bit of money a few years ago with a much more compatible AMD card.

    • insomniac_lemon@lemmy.cafe
      link
      fedilink
      English
      arrow-up
      2
      ·
      20 days ago

      Have you looked into drop-in (ZLUDA) or recompile (SCALE, chipStar) things? Though they may not have been helpful with the years gone by (and may each have their own pros/cons).

      I’m still using a 1050Ti (and legacy driver shifting to AUR did block me from updating), value doesn’t seem great and not going to buy something used from eBay. So that still complicates things for me.

      Distro-wise I probably want something slower than Arch but not sure about point releases. And I am hoping for something that does updates in a way more friendly to slower internet (giving less update friction), but I suspect it doesn’t exist. Some things (OpenSUSE, NixOS) seem like they might be closer to I want but I have hangups about them (Patterns on SUSE and lack of videos for Slowroll, NixOS having multiple solutions for dynamically linked executables especially if I decide to stop using Steam directly).

    • Bluewing@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      19 days ago

      The most frictionless distro to install nvidia drivers is Aurora. As you get ready to download the ISO, it will provide a couple of drop down menus to select your gpu. Intel/AMD is one and the other lists nvidia gpu’s by card to add the correct driver to the ISO. You should be able to install the ISO and boot into your shiny new Plasma desktop with your nvidia gpu working just fine.

      And you get the atomic goodness of Fedora Kinonite.

      • PieMePlenty@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        20 days ago

        You add the rpmfusion repo and install a few nvidia packages from there. Kernel modules are then built for the driver. If secure boot is used, they need to be signed too. Sometimes the grub entry isnt updated and doesnt load nvidia drivers. Sometimes you boot into a black screen, sometimes Wayland throws a hissy fit. Hardware accelerated video decoding needs more packages, in browsers it may need extra configuration…
        The components are all there and they work, but sometimes the stars don’t align and you just curse a little and wonder why you didn’t just buy AMD because that, just works.

      • Bluewing@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        19 days ago

        It’s a couple commands and laid out cookbook style. Fedora has a very good document page on installing nVidia drivers. And the installation is generally very smooth.

        The biggest hang up for first time users is understanding that you need to wait for everything to build before doing sudo systemctl reboot. How long do you need to wait? No one really knows. There is no progress bar or any other notification that the building is done successfully. You just wait and then take a leap of faith into that dark abyss and hope for the best.

        Typically, it’s recommended to wait “at least 5 minutes”. Maybe more. I always waited around 10 minutes, (or one cup of tea) to be sure. But some users reported needing to wait was much as 20 minutes for everything to build. YMMV

        • ornery_chemist@mander.xyz
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          18 days ago

          Regarding the wait time, maybe I just got lucky, but just waited for my CPU usage to come back down and spammed modinfo -F version nvidia or some such until it stopped erroring. My actual hang-up was getting simpledrm working and then secure boot.

      • ornery_chemist@mander.xyz
        link
        fedilink
        arrow-up
        2
        ·
        19 days ago

        In the simplest case, absolutely. I ran into black screens and wayland issues due to a combination of needing to enable simpledrm in the command line and working with secure boot. Not too much extra once you figure it out, though.

  • HisAssholiness@lemmy.ml
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    20 days ago

    Arch users just randomly dropping “I use Arch btw” everywhere, it was only a matter of time.

      • pressanykeynow@lemmy.world
        link
        fedilink
        arrow-up
        17
        ·
        20 days ago

        But your brain should be the best antivirus you have.

        Is there an AUR package for it? seems not in the official repo

      • placebo@lemmy.zip
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        edit-2
        20 days ago

        But your brain should be the best antivirus you have.

        It’s useful to use brain, but any security layer has holes which is why it’s good to have several layers. Some attacks might be way beyond user’s understanding or come from trusted sources.

      • UnderpantsWeevil@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        19 days ago

        But your brain should be the best antivirus you have.

        True of virtually every OS.

        But “only stupid people get viruses” is exactly the kind of trap that catches folks.

      • AceSLive@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        19 days ago

        I have eset home but now I’ve gone completely linux, and they don’t do it for home - only business

        Which sucks, as I have a year left on my subscription I can no longer use :/

    • Ghoelian@piefed.social
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      20 days ago

      one thread I found from 2 years ago where someone asked for the same thing, a lot of the replies are just “you don’t need antivirus on Linux” lmao

      • CeeBee_Eh@lemmy.world
        cake
        link
        fedilink
        arrow-up
        2
        arrow-down
        3
        ·
        19 days ago

        a lot of the replies are just “you don’t need antivirus on Linux”

        Which is completely true when using distros like Debian, Fedora, RHEL, OpenSuse, etc.

        Arch (and its derivatives) are designed to be on the bleeding edge with ALL the paper cuts that come with it. It is absolutely not focused on stability or security. If you want those things then stick to Debian or Fedora Silverblue.

        And the second you introduce npm to your system you can throw any semblance of security out the window, regardless of what your operating system is, and no antivirus is going to save you.

        That being said, the fundamental security models between Linux and Windows are very different. And on Linux the overall impact will likely be far less damaging (technologically, not financially) than on Windows. Windows “security” is just a corporate marketing campaign.

          • CeeBee_Eh@lemmy.world
            cake
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            19 days ago

            npm, yes. Snap and flatpak? No. I’m not saying it’s impossible to get malware. The difference is that snapd and flatpak have various levels of process isolation that largely mitigates any potential issues.

            The argument isn’t “Linux doesn’t have malware”, the argument is “you don’t need to run antivirus on Linux”. Those are two very different things.

            Not even the best antivirus will protect you completely, at that point you need good computer hygiene.

            • Crozekiel@lemmy.zip
              link
              fedilink
              English
              arrow-up
              1
              ·
              18 days ago

              Eh. Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all. I don’t use ubuntu/snapd so can’t speak to that.

              There are more protections on flathub than the AUR for sure - the AUR is closer to just downloading random shit off the internet than a true repository. That said, it’s crazy to assign the vulnerabilities of the AUR to Arch as a whole… The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.

              • CeeBee_Eh@lemmy.world
                cake
                link
                fedilink
                arrow-up
                2
                ·
                18 days ago

                Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all.

                You’re not wrong, but even with the AUR it’s (last I checked/heard) a problem with orphaned packages being picked up by random users, and then a “new” PKGBUILD with the malicious bits getting uploaded.

                The reality is that even if everyone just blindly updated through yay this whole time, very few people would be affected because the number of orphaned packages installed is very low. The package managers tend to bug you about orphaned packages.

                The difference with Flatpaks and the Snap Store is that you can’t just take ownership over an abandoned project. You’d have to create your own. And since Canonical is in charge of the Snap Store, they’re quick to react to any sort of security issue.

                the AUR is closer to just downloading random shit off the internet than a true repository

                Ultimately that is what it is. Because some packages are grabbing files from just about anywhere.

                The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.

                And that’s really the key. The AUR is bleeding edge with “here be dragons” philosophy. Like I said in my previous comment, if you can’t accept those dangerous (work computer, sensitive data, etc) then simply don’t use Arch.

  • altphoto@lemmy.today
    link
    fedilink
    arrow-up
    10
    ·
    20 days ago

    With the old package managers safety was simple…trust the developers, user their packages. 10000 downloads? Easy! 1 download… 🤔 Maybe skip for now.

    Now with executables like mac and Windows it’s easier to sneak something in. You still rely on trust. But now you’ve got AI in the game mudding the waters.