As recently discussed on the Arch Mailing list there appears to have been a large coordinated attack on the AUR some time within the last 24 hours that seems to have resulted in a rather sizable amount of packages being contaminated with malware. This is a good reminder that the AUR is open, unofficial, user-produced, content. The only secure way to use the Arch User Repository is by reviewing every PKGBUILD. While efforts are now underway to clean out any problem packages there still exists ...
Nah, nobody is recommending that you just rawdog this freaking script in a terminal, as it is only useful if you make use of the AUR! The golden rule is to evaluate every script that you see, decide if it is a good or bad, personally having read it there aren’t any malicious instructions present in it. ML tools aren’t particularly reliable, can be tricked, deliver false negative or false positive results, and will just dull your mind.
If one cannot read, evaluate, and come to a decision based on the information available…Arch simply isn’t a good fit for the person in question. That is okay, and there are plenty of options.
Granted the AUR shouldn’t be as easy to exploit as it was in this instance, it’s a bit too wild west for my liking. There needs to be better protections that prevent such exploitation in the future, as there are clear exploitable weaknesses present with the AUR which need to be closed to prevent something low effort from happening again. The axiomatic truth of the AUR remains true: Do not trust, verify any PKGbuilds before installing software and before every single update.
Nah, nobody is recommending that you just rawdog this freaking script in a terminal, as it is only useful if you make use of the AUR! The golden rule is to evaluate every script that you see, decide if it is a good or bad, personally having read it there aren’t any malicious instructions present in it. ML tools aren’t particularly reliable, can be tricked, deliver false negative or false positive results, and will just dull your mind.
If one cannot read, evaluate, and come to a decision based on the information available…Arch simply isn’t a good fit for the person in question. That is okay, and there are plenty of options.
Granted the AUR shouldn’t be as easy to exploit as it was in this instance, it’s a bit too wild west for my liking. There needs to be better protections that prevent such exploitation in the future, as there are clear exploitable weaknesses present with the AUR which need to be closed to prevent something low effort from happening again. The axiomatic truth of the AUR remains true: Do not trust, verify any PKGbuilds before installing software and before every single update.