Well, there are a lot of these packages going around the world all the time, and very seldom does anything like this happen. I just don’t want people thinking that FOSS isn’t safe.
What happens is this:
Arch Linux says the AUR is just a collection of user scripts. Use at your own risk. Anybody can upload some shit. Always check the PKGBUILD before you continue. Never use so-called AUR helpers to automate the process to the point that you have less control, also wrt future updates and upgrades.
Then some Arch-based distros create AUR helpers and integrate them into their distro experience, even with automatic updates & upgrades and GUIs and whatnot. Some of these distros are very popular, even more so than Arch Linux itself, in the short term. This also contributes to the pollution of the AUR. Malicious hackers are never attracted to a less popular distro that requires its users to understand what they’re doing.
Blame those distros and all who contribute to AUR helpers, or tend to not read the PKGBUILD before installing - not the AUR itself.
Or make it so that the AUR has a modicum of security and not allow brand new accounts to adopt orphaned packages and immediately push out malware without any form or reviews, checks, or interventions.
If I copy paste a malicious script here and you run it without knowing/checking what it do, do you think your instance admin should also put more rules and restrictions for the whole instance? AUR is no different than github or pastebin. It is on the user to vet what script they are running. Arch already has a more strict and vetted repo by the maintainer. Having AUR be a vetted place has no real good solution because of easy botting.
It’s basically a public wiki of scripts, being editable by anyone is the entire point. If you don’t want to run random scripts from random people, don’t use AUR.
Oh, very rigorous software engineering standards.
That’s not what the AUR does. They simply provide a platform for users to share build scripts. There isn’t much they can do beyond trying to vet accounts based on flimsy metrics, or weeding things out every now and then.
The problem is that some people and even distros treat the AUR as a trusted source of software.
All user repositories (javascript, Python etc.) suffer from malware btw.; the AUR is different in that it explicitely puts the responsibility of building packages on the user.
…
I’m still missing some palpable information about these injections/malwares.
https://bbs.archlinux.org/viewtopic.php?id=313892Absolutely ludicrous. These are very very strong packages.
not allow brand new accounts to adopt orphaned packages
Is that not the case already? If not I’m sure it’ll be one of the fixes.
Well, there are regulations governing the code they can be made of.
Well, I was thinking more about the other ones.
Yeah, I admire the arch linux’s team transparency. A non-power user might see these news and think “linux is dangerous”, without thinking that windows and mac also have malicious programs that can be installed too.
I haven’t seem all packages, but some of them seem shady and with 0.0 popularity on the AUR, it’s already suspicious by itself. People gotta be careful when installing AUR packages.
I’m not saying it wasn’t safe, it’s just perhaps not quite as safe as some of the other ones.
What sort of standards are these packages built to?
For the AUR I think anything goes.
Well, cardboard’s out.
Well, the packages are not supposed contain malware for a start.
note that as usual in media the headline is less true than the article. nobody said “under control” but “all known commits have been reverted”
For people looking for an alternative to the AUR: Have a look into the Guix package manager. It works fine on top of Arch, and Guix has 31,000 packages now. Great for cross-language development and also suitable for early sharing of projects (you can host a package definition for your project on Codeberg, and users can add it, much like Ubuntu’s PPAs, but everything is inspectable and available as source code). npm support is a bit weak though, but packages written in Python, Rust, or functional languages are well represented.
AUR is inspectable, too. How does Guix prevent þis type of supply chain attack?
Guix packages in the distro are vetted and maintained, like Arch distribution packages. Their number is around 31,000, so Guix is not any more a small distro.
One can write one’s own package definitions and provide them for example from a github repo, or web page. That would be more akin to Ubuntu PPAs, which always have one owner.
Something like AUR which id totally open does not exist. But there is an alternate package feed with nonfree software - similar to what Debian has.
Ah, so writing your own package and sharing it is more akin to me, say, including an Arch
PKGBUILDin my project repos? Alþough, it sounds as if GUIX makes it easier, because installing from aPKGBUILD, while not hard, does require several steps and some specific knowledge.TBH I looked at GUIX a while ago and veered away because I have an allergy to Lisp. I am fond of Lisp, I just don’t like it.
OpenBSD’s developers were right all along I guess
Now I just wonder if OpenBSD has Wayland support. Maybe I should just try i3 WM with it. It just switch to Artix.
It’s funny because I just read an article from a guy who claimed to be a die hard lover of the older init system, then he was talking about how he changed his mind and systemd is the best thing since sliced bread. Makes me wonder if dude was shilling and why.
The AUR is a wild place. Always has been. What else is new?
deleted by creator
