That’s why you shouldn’t blindly trust AUR, and always review the scripts before installing.
But something needs to change:
packages need to be reviewed (maybe also updates on new/untrusted users)
New package adoption need to be reviewed
Trusted users don’t need package review
Trusted users can review new packages (from other users)
This won’t stop here, more malware packages will appear, arch and Linux in general is getting more users and becoming a target, not only ArchLinux AUR but also other distros with custom repositories. Many users install packages from custom repositories blindly, or follow guides without any knowledge what they do.
Why does anything need to change? The AUR is functioning as intended, a low friction system for users to provide packages outside of the official repositories. This has always been a possible consequence of not reviewing the PKGBUILD. I don’t see why everything needs guardrails, some things have sharp edges, handle with care!
Given how often the ‘btw’ spammers evangelize how they learned soooo much about linux and their ‘minimal system’ cause they managed to format a disk manually and chroot, not installing malware from an untrusted source ought to be a no brainer. Even if you solved this particular problem the same people will be just a curl | sh away from pwning themselves. Should we start requiring forced auth to pipe?
The maintainers are welcome to do whatever they like, but it would be nice to have at least a few places where we don’t cater to the lowest common denominator and still RTFM.
Just the case of the packages being removed only a few hours after been published just makes my point of “trusted users” reviewing and reporting then.
And is not only an archlinux/AUR problem, the same happens with python pip, npm, dockerhub, github…
With bigger popularity, bigger the target.
These days after the success of Steamdeck many users switched to Linux, and many of those started using arch or based distros like EndeavourOS because some one on reddit, YouTube or other said is the best for new hardware and you can find everything you need on AUR.
New users won’t review scripts or PKGBUILD, that’s gibberish, just search and install, and a few hours could be too late for some.
I don’t care if Linux loses or gains popularity, but if there’s no guard rails of some kind of control things could get worse, and even end AUR as it is now.
Having people control what’s published or not, probably not the best solution, but leaving it as a wild west also not
This is absolutely a shortcoming of Arch - but I don’t see it getting fixed soon. Your change is practical, and could reduce the attack surface for bad actors, but it also introduces gatekeeping and would slow down time from code change to deployment. The open community and blazing fast end-to-end turnaround are both Arch key features (in my opinion).
If you prefer more vetted code, there’s other great distros (Debian leaps to mind).
But honestly - yes, some people got hurt - but it was addressed in a day. That’s not a bad turnaround ~ I’ve certainly seen that damage wrought by Windows- and iOS-based malware run at least that long.
This can be seen as the system working as intended. Please don’t run Arch on mission critical systems. There’s other distros for that. While this vulnerability is Arch-specific, this OS is often a canary for others. But if you can tolerate being on the frontier, Arch is very well documented and is great for learning - and yes it has some risk.
Arch also warns uses about AUR, use at at your own risk, and can break your system.
My approach isn’t definitely not the best solution, I was saying this is only the beginning, and with other arch based distros also using AUR only gets worse, if there’s any moderation and some kind of package control before publishing then when thins get real bad maybe too late and arch starts loosing users.
Now is just some packages, later could be some popular package take overs or some kinda spoofing of other packages.
I use arch BTW (since 2011), and Debian Armbian on Raspberry Pi, one is rock solid the other sometimes break with updates
I think we’re broadly in agreement here, and I think both our statements are important to the Linux discussion. Moreover, we’re not speaking privately - I wish I could direct recent converts from Windows to this thread as a whole, as you offer good advice - be wary of your sources & learning how to inspect gifts you’re offered is excellent advice.
That’s why you shouldn’t blindly trust AUR, and always review the scripts before installing.
But something needs to change:
This won’t stop here, more malware packages will appear, arch and Linux in general is getting more users and becoming a target, not only ArchLinux AUR but also other distros with custom repositories. Many users install packages from custom repositories blindly, or follow guides without any knowledge what they do.
2025 is the year of malware on Linux
Why does anything need to change? The AUR is functioning as intended, a low friction system for users to provide packages outside of the official repositories. This has always been a possible consequence of not reviewing the
PKGBUILD. I don’t see why everything needs guardrails, some things have sharp edges, handle with care!Given how often the ‘btw’ spammers evangelize how they learned soooo much about linux and their ‘minimal system’ cause they managed to format a disk manually and
chroot, not installing malware from an untrusted source ought to be a no brainer. Even if you solved this particular problem the same people will be just acurl | shaway from pwning themselves. Should we start requiring forced auth to pipe?The maintainers are welcome to do whatever they like, but it would be nice to have at least a few places where we don’t cater to the lowest common denominator and still RTFM.
Just the case of the packages being removed only a few hours after been published just makes my point of “trusted users” reviewing and reporting then.
And is not only an archlinux/AUR problem, the same happens with python pip, npm, dockerhub, github… With bigger popularity, bigger the target.
These days after the success of Steamdeck many users switched to Linux, and many of those started using arch or based distros like EndeavourOS because some one on reddit, YouTube or other said is the best for new hardware and you can find everything you need on AUR.
New users won’t review scripts or PKGBUILD, that’s gibberish, just search and install, and a few hours could be too late for some.
I don’t care if Linux loses or gains popularity, but if there’s no guard rails of some kind of control things could get worse, and even end AUR as it is now.
Having people control what’s published or not, probably not the best solution, but leaving it as a wild west also not
This is absolutely a shortcoming of Arch - but I don’t see it getting fixed soon. Your change is practical, and could reduce the attack surface for bad actors, but it also introduces gatekeeping and would slow down time from code change to deployment. The open community and blazing fast end-to-end turnaround are both Arch key features (in my opinion).
If you prefer more vetted code, there’s other great distros (Debian leaps to mind).
But honestly - yes, some people got hurt - but it was addressed in a day. That’s not a bad turnaround ~ I’ve certainly seen that damage wrought by Windows- and iOS-based malware run at least that long.
This can be seen as the system working as intended. Please don’t run Arch on mission critical systems. There’s other distros for that. While this vulnerability is Arch-specific, this OS is often a canary for others. But if you can tolerate being on the frontier, Arch is very well documented and is great for learning - and yes it has some risk.
Arch also warns uses about AUR, use at at your own risk, and can break your system.
My approach isn’t definitely not the best solution, I was saying this is only the beginning, and with other arch based distros also using AUR only gets worse, if there’s any moderation and some kind of package control before publishing then when thins get real bad maybe too late and arch starts loosing users.
Now is just some packages, later could be some popular package take overs or some kinda spoofing of other packages.
I use arch BTW (since 2011), and
DebianArmbian on Raspberry Pi, one is rock solid the other sometimes break with updatesI think we’re broadly in agreement here, and I think both our statements are important to the Linux discussion. Moreover, we’re not speaking privately - I wish I could direct recent converts from Windows to this thread as a whole, as you offer good advice - be wary of your sources & learning how to inspect gifts you’re offered is excellent advice.