- cross-posted to:
- linux@lemmy.ml
- cross-posted to:
- linux@lemmy.ml
You must log in or register to comment.
pacman -Qqemto list your foreign packages (usually AUR ones)TL;DR: If you haven’t installed
google-chrome-stablerecently from AUR, you’re not affected.if you didn’t install
google-chrome-stableyesterday*The real package used to be called google-chrome-stable many moon ago.
Thanks, edited!
In other news, Arch users getting what they asked for. A difficult and highly customizable Linux. 😉
Can someone explain how the AUR isnt the same as running a random bash script you found on the internet?
It’s not any different from running a random bash script, which is why according to the Arch wiki, users of the AUR should “verify that the PKGBUILD and accompanying files are not malicious or untrustworthy.” That’s also why good AUR helpers ask if you want to look at the PKGBUILD every time you install or update anything, because best practice is to read them every time so you know what it’s doing.
The AUR there for convienience, which means it tends to get used by newbies who really probably shouldn’t be using it. But I also won’t pretend that I follow the guidance every time myself.
AUR installation scripts are even written in bash.
That’s why you shouldn’t blindly trust AUR, and always review the scripts before installing.
But something needs to change:
- packages need to be reviewed (maybe also updates on new/untrusted users)
- New package adoption need to be reviewed
- Trusted users don’t need package review
- Trusted users can review new packages (from other users)
This won’t stop here, more malware packages will appear, arch and Linux in general is getting more users and becoming a target, not only ArchLinux AUR but also other distros with custom repositories. Many users install packages from custom repositories blindly, or follow guides without any knowledge what they do.
2025 is the year of malware on Linux
Why does anything need to change? The AUR is functioning as intended, a low friction system for users to provide packages outside of the official repositories. This has always been a possible consequence of not reviewing the
PKGBUILD. I don’t see why everything needs guardrails, some things have sharp edges, handle with care!Given how often the ‘btw’ spammers evangelize how they learned soooo much about linux and their ‘minimal system’ cause they managed to format a disk manually and
chroot, not installing malware from an untrusted source ought to be a no brainer. Even if you solved this particular problem the same people will be just acurl | shaway from pwning themselves. Should we start requiring forced auth to pipe?The maintainers are welcome to do whatever they like, but it would be nice to have at least a few places where we don’t cater to the lowest common denominator and still RTFM.
Just the case of the packages being removed only a few hours after been published just makes my point of “trusted users” reviewing and reporting then.
And is not only an archlinux/AUR problem, the same happens with python pip, npm, dockerhub, github… With bigger popularity, bigger the target.
These days after the success of Steamdeck many users switched to Linux, and many of those started using arch or based distros like EndeavourOS because some one on reddit, YouTube or other said is the best for new hardware and you can find everything you need on AUR.
New users won’t review scripts or PKGBUILD, that’s gibberish, just search and install, and a few hours could be too late for some.I don’t care if Linux loses or gains popularity, but if there’s no guard rails of some kind of control things could get worse, and even end AUR as it is now.
Having people control what’s published or not, probably not the best solution, but leaving it as a wild west also not
This is absolutely a shortcoming of Arch - but I don’t see it getting fixed soon. Your change is practical, and could reduce the attack surface for bad actors, but it also introduces gatekeeping and would slow down time from code change to deployment. The open community and blazing fast end-to-end turnaround are both Arch key features (in my opinion).
If you prefer more vetted code, there’s other great distros (Debian leaps to mind).
But honestly - yes, some people got hurt - but it was addressed in a day. That’s not a bad turnaround ~ I’ve certainly seen that damage wrought by Windows- and iOS-based malware run at least that long.
This can be seen as the system working as intended. Please don’t run Arch on mission critical systems. There’s other distros for that. While this vulnerability is Arch-specific, this OS is often a canary for others. But if you can tolerate being on the frontier, Arch is very well documented and is great for learning - and yes it has some risk.
Arch also warns uses about AUR, use at at your own risk, and can break your system.
My approach isn’t definitely not the best solution, I was saying this is only the beginning, and with other arch based distros also using AUR only gets worse, if there’s any moderation and some kind of package control before publishing then when thins get real bad maybe too late and arch starts loosing users.
Now is just some packages, later could be some popular package take overs or some kinda spoofing of other packages.
I use arch BTW (since 2011), and
DebianArmbian on Raspberry Pi, one is rock solid the other sometimes break with updatesI think we’re broadly in agreement here, and I think both our statements are important to the Linux discussion. Moreover, we’re not speaking privately - I wish I could direct recent converts from Windows to this thread as a whole, as you offer good advice - be wary of your sources & learning how to inspect gifts you’re offered is excellent advice.
Imagine how many they haven’t stumbled across yet.
Ðis is why we can’t have nice þings.
Maybe AUR needs a different way of approving submitters. Currently, it’s absurdly easy to register to submit a package.
Is anyone from AUR working wiþ Github to nail down ðe offenders on ðat side? Most of ðese packages are probably being pulled from ðere.
Can’t people just make new accounts? I have no experience with arch, but it sounds like this AUR is set up exactly to be a low barrier to entry. Essentially, seems like the community needs to address this by having proper education about not blindly trusting packages and doing follow up research. Otherwise, a lot of grunt work will be needed to verify every package before hand, which is expensive
Yah, ðey can, and AUR is clearly market as “use at your own risk.” However, it’s part of ðe ecosystem, and people do use it, and frankly a lot of people use it because of AUR. Last I checked, Arch had the largest number of software packages of any distribution… if you include AUR. It’s much, much smaller wiþout it.
Ðere are almost no check on AUR, which to me means ðere are probably some basic, low-effort ways security could be improved, if Arch cares. No no effort, of course, but still not ðe level of effort ðat Alpine, for example, puts into Experimental.
nixos has the largest amount of packages
Ðis is why we can’t have nice þings.
Not reviewing the
PKGBUILDwhen using the AUR is a self pwn.I love your Unicode
And I love you, commie!
Something, something nice bings and oat sides.
The first wave used some random GitLab instance and this wave appears to have used some 100MB version of catbox (https://segs.lol/). Both had deleted the payload files when I tried to obtain them
Hmmm. Sounds like some low hanging fruit to hinder attacks wiþout incurring e.g. ðe cost of ðe full Apline Experimental review process.
