Oh dear, the situation with the Arch Linux AUR got a fair bit worse since GamingOnLinux initially covered the malicious packages.
  • communism@lemmy.ml
    28·
    4 days ago

    What an annoyingly uninformative title. Better title: a lot more compromised AUR packages have been found since our last update.

    “A lot worse” is intentionally vague to get people to click.

    • iocase@lemmy.zip
      1·
      2 days ago

      Vagueposting clickbait? On the internet!? For views and clicks!?! The website is AIDS it’s so full of ads!?

  • GaumBeist@lemmy.ml
    14·
    4 days ago

    At least some level of human review is going to be needed.

    So… completely negating the point of a User Repository??? Introduce some kind of authoritative oversight, and it’s essentially just another regular repository, erasing all the benefits of the AUR. The whole point of the distro slapping a huge disclaimer of “DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.” at the top of the homepage is because these kind of compromises are the trade-off one makes

  • tired_fedora@lemmy.ml
    887·
    4 days ago

    TLDR: Open package repositories without some approval and oversight system, like AUR, will have even more problems in the future due to advanced coding AI and malicious foreign hackers.

    Edit: Please normalize TLDR’s on bot posts with just a link.

    Edit 2: I have been rightfully informed that this is not a bot post. I still think links should not be posted without a tiny abstract, one might say: a TLDR.

    I have also been informed that the text does not spell out “foreign”. This is correct. The text does say

    Not all of the packaging issues are as bad as the initial wave of trying to steal credentials, some are just adding ridiculous messages in Russian.

    This implies but does not establish the nationality of attackers. While Arch has contributors from all over the world, it is commonly cited as being a Canadian distribution (example, see below). https://distrowatch.com/table-mobile.php?distribution=arch

  • VirtuePacket@lemmy.zip
    121·
    3 days ago

    I think I’d be satisfied with just not allowing people to take over orphaned packages. That seems like a glaring attack vector and closing it would not harm the AUR in any way.

    And yea, arch (and its derivatives) probably should not ship with AUR helpers pre-installed.

    • f3nyx@lemmy.ml
      131·
      4 days ago

      Debian users should receive their news 6-12 months after everyone else, change my mind

      /s

    • DasSkelett@discuss.tchncs.de
      92·
      3 days ago

      Huh, you really feel schadenfreude over another reputable project being hit by/having to deal with malware? And all the people who might be affected by it?

      That is not something that would ever cross my mind.

    • SocialistVibes01@lemmy.ml
      41·
      3 days ago

      Whoa, this is blowing up. Chill, guys. I really think that sucks. If anything, with Arch being bleeding edge and all of that, at least you’re showing early the tough wake up the other distros will have to do in relation to malware after Linux’ increasing popularity. Time to brush those SELinux and apparmor bits, even.

      But, now, we Debian users are okay, (btw, 😎).

    • myszka@lemmy.ml
      31·
      3 days ago

      Me, a NixOS user, watching folks fighting over a bunch of legacy distros 😎😎😎

    • Holytimes@sh.itjust.works
      42·
      3 days ago

      Upside to Debian! Never have to worry about shit like this. Downside to Debian, you have to use Debian.

      • The Ramen Dutchman@ttrpg.network
        1·
        2 days ago

        More like: Upside to Debian, you never have to worry about the latest malware and bugs! Downside to Debian, you have to use yesterday’s everything…

        • limelight79@lemmy.world
          2·
          1 day ago

          I use Debian for everything, and the only thing I’ve updated to the current (non Debian distribution) version is Docker, which I use for a game. But this isn’t a problem, because it’s Debian, so the Docker people make packages for several recent Debian releases.

          I don’t miss the bleeding edge. That issue a while back where someone infiltrated a basic library didn’t affect me. The software I use might have bugs (what software doesn’t?), but by the time I get it, it has been well tested for security issues.

          I’m pretty happy with my switch to Debian. I’ll admit I’m curious about Bazzite for my gaming computer, but even then, it’s like, “Why? Debian is doing just fine.”

          But I’m not laughing at anyone. This is a scary new variety of attacks we’re seeing, and there’s no real reason one couldn’t end up in my computer. Reminds me of the old one where someone slipped a backdoor into a compiler.

      • wraekscadu@vargar.org
        21·
        3 days ago

        I use Ubuntu. Have slapped on a really pretty material theme. A couple of blur extensions. A cute furry wallpaper. Never felt the need to switch to anything else.

    • Christian@lemmy.mlEnglish
      3·
      4 days ago

      To be clear, -Qm displays installed packages not currently in the repositories. This will include AUR packages, but I avoid the AUR (except for davmail years ago) every once in a while I’ll run it just to check and sometimes it finds packages.

      When you install things from the main repos the dependencies get installed too, and if those dependencies are no longer needed they’ll be removed from the repositories. (I also have a bad habit of forgetting --asdeps when installing optional dependencies.) Sometimes they’ll conflict with a new dependency and pacman will ask to remove and replace them, but other times the functionality has become a part of an existing package, so with no conflict to prompt removal they’ll just sit unused on your install. If you haven’t tried -Qm in a long while you’ll probably find a few harmless currently-unused packages that were installed through the normal repos. (-Qdt will cover the other cases where dependencies remain in the repos but are now only needed for packages you don’t have installed.)

      Obviously -Qm will also show removed packages that aren’t dependencies, a few years back my preferred pdf viewer was removed from the repositories.

      -Qm will also find manually installed packages that aren’t in the AUR if you ever do that.

    • Grass@sh.itjust.works
      1·
      4 days ago

      I had more aur packages than I thought but none in the list. Is this just known ones and there could be more?

      • bless@lemmy.ml
        2·
        4 days ago

        Of course. A compromised package can’t be on the list if it’s unknown. Hopefully not, but there’s still a possibility

  • Sonalder@lemmy.ml
    154·
    4 days ago

    AUR has never been a good idea. I don’t use it and this news proved me right.

    Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.

    Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that’s why I stick to my official distro packages (and sometimes also some flatpak but from official sources)

    • communism@lemmy.ml
      13·
      4 days ago

      It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.

      • Sonalder@lemmy.ml
        1·
        4 days ago

        I never said that GitHub was better. I just don’t feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.

        Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don’t understand the risk or let’s say responsabilities it involves while installing packages from that source.

        • communism@lemmy.ml
          2·
          3 days ago

          I agree about the risks in terms of the way some sources present the AUR as just extra packages. But I don’t think you can object to the AUR more than any other place on the internet where anyone can upload software; unfortunately, the onus is going to be on the user to verify what they install. The AUR is moderated by volunteers and it wouldn’t be fair to expect them to vet all of the high volume of commits to the AUR. Possibly they could vet new maintainers or new packages or newly adopted packages, but nothing would stop someone from initially uploading a genuine package and then replacing it with something malicious. Or they could require identity verification to be an AUR maintainer but then far fewer genuine packages would be on there because people don’t want to give their real identity to contribute (I maintain some AUR packages, and would stop if required to verify my IRL identity).

          I can totally understand if the AUR is not for you; it’s more time-consuming as you have to read PKGBUILDs (I always do). But that doesn’t make it bad that it exists at all. I think there should be more warnings about it for new users, and possibly some more moderation, though like I said above there’s no perfect moderation solution that would simultaneously forgo users’ responsibility to check and keep the AUR as large as it is today. Ultimately the option should still exist for users who want it. If it didn’t exist, I’d have to hand-package every program that’s not in the official repos, and that’s even more time-consuming than pulling and reading through a PKGBUILD that someone else already wrote and shared.

    • fxdave@lemmy.ml
      13·
      3 days ago

      I use arch btw, it’s only effecting the arch user repository, which lives separately from the maintained repositories, it’s not even possible to download stuff from there with pacman. Really it’s just a community space, I also have packages there. You can download pre-packaged apps, so if you install them, you will be able to remove them with pacman. I think it’s a great concept.

      it’s like a forum where some jerk writes “use ‘sudo rm -rf /’ to speed up the computer”. Except you don’t have to read it to execute their plan.

      Flathub is also concerning btw. But at least those apps are containers (with too much permissions)

  • MonkderVierte@lemmy.zip
    4·
    4 days ago

    But why? Arch isn’t a server distro and their users usually know how to keep their secrets save. A FUD campaign?

    • Holytimes@sh.itjust.works
      2·
      3 days ago

      Sometimes it’s as simple as “because they can”.

      They can do this so they did. Its likely no deeper then that.

        • Sonalder@lemmy.ml
          6·
          4 days ago

          AUR is community-maintained packages intentionally designed to shift security responsibility to users. Without pre-installation vetting, meaning anyone can submit anything on there, making it perfect for malware distribution.

          Of course all code is visible for inspection, community voting exists, and malicious packages can be reported and removed which limit malicious action.

          But now we have LLM that can generate (and distribute) malware and do pretty good code obfuscation so I am not convinced by this model. Honestly I never felt comfortable using AUR (so I avoid it) because I’m not technical enough to review all the code my machine runs.