- cross-posted to:
- linux@programming.dev
- cross-posted to:
- linux@programming.dev
You must log in or # to comment.
Where at “I use Arch btw” now?
At least some level of human review is going to be needed.
So… completely negating the point of a User Repository??? Introduce some kind of authoritative oversight, and it’s essentially just another regular repository, erasing all the benefits of the AUR. The whole point of the distro slapping a huge disclaimer of “DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.” at the top of the homepage is because these kind of compromises are the trade-off one makes
Anyone can publish his PKGBUILD script on their codeberg or github page.
What an annoyingly uninformative title. Better title: a lot more compromised AUR packages have been found since our last update.
“A lot worse” is intentionally vague to get people to click.
I think I’d be satisfied with just not allowing people to take over orphaned packages. That seems like a glaring attack vector and closing it would not harm the AUR in any way.
And yea, arch (and its derivatives) probably should not shop with AUR helpers pre installed.
arch doesn’t ship an aur helper pre installed. It’s the derivates leeching the arch aur infrastructure and preinstalling aur helpers suggesting it’s safe to use as is
Me, a Debian user, watching that shitshow 😎
Upside to Debian! Never have to worry about shit like this. Downside to Debian, you have to use Debian.
I use Ubuntu. Have slapped on a really pretty material theme. A couple of blur extensions. A cute furry wallpaper. Never felt the need to switch to anything else.
Nothing says “socialist vibes” like gloating over other Linux users
Using Linux is not a dick measuring contest (and man I hate these threads asking “why is your distro the best?” - it feels like trolling and sowing division and grief to me. A bit like asking a mother “What is your favorite child?”.)
But apart from that, I think we can all agree that security of AUR packages is no good enough, and that this deficit is by design.
Or all the Arch users, who finish their comments with the iconic „oh, I use Arch btw”. Like a medal. Loool!
Huh, you really feel schadenfreude over another reputable project being hit by/having to deal with malware? And all the people who might be affected by it?
That is not something that would ever cross my mind.
I mean, but this is arch.
And?
Debian users should receive their news 6-12 months after everyone else, change my mind
/s
Some people likes tested and stable software. It’s weird.
Out of date and stable software you mean.
Honestly, not even stable. Just arbitrarily frozen. Oftentimes with later releases having bugfixes that the user won’t see for another few years.
That’s optimistically quick
Sincerely,
A Debian user
Should? Don’t you mean already do?
AUR has never been a good idea. I don’t use it and this news proved me right.
Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.
Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that’s why I stick to my official distro packages (and sometimes also some flatpak but from official sources)
It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.
I never said that GitHub was better. I just don’t feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.
Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don’t understand the risk or let’s say responsabilities it involves while installing packages from that source.
I never said that GitHub was better.
It is arguably harder to take over a package from github or Codeberg.
You could also serve your PKGBUILD from a Gemini server (the Gemini small-web protocol, not the Google AI which is really easy to administer and secure), and sign it with a PGP key. That would be about as secure without depending on a huge US American company.
AUR has never been a good idea. I don’t use it and this news proved me right.
But is Arch sufficiently complete without AUR packages? It is being criticized - and rightly so - that the magnificient Arch Wiki is full of references to AUR packages. That could in fact mislead new users.
I am an happy Arch user, since about ten years… But I use it differently. I am running Debian stable on the hardware, which has all the drivers I need (after getting rid of NVidia graphics, which was just a mistake to buy). I use Debian for my work / office / productivity system, to read email, and so on.
But for some stuff, I need newer software: For trying out new features or libraries (I am a developer). For testing out new window managers. Leisure programming. And so on. I use Arch for this. After a few years of dual booting (which caused occasional breakage), I settled on running Arch in a VM. Which works fine for me.
And the last shift I am experiencing is that I use more and more the Guix package manager. The reason for this is that when one tries out a lot of things, and does only system upgrades for many years (which means not doing a reinstall, but replacing the oldstable packages with the newer stable packages), the system becomes a bit untidy over time. Old packages, scripts, and configurations accumulate, and it is hard to get rid of it without breaking things, because one just cannot delete everything one does not remember what it was needed for. And there is so much stuff in software that, after all, turns out to be not such a good idea. Yes, a fresh OS install leaves a tidy system, but it would cost a few days. (By the way, accumulating cruft in the long term is also somewhat of an disadvantage of rolling release distros.)
Now, Guix solves that, because I have a temporary, deterministic environment for every programming project (just like a Python venv). And by this way, stuff does not contaminate the base system, and is garbage collected when it is not used any more.
And, Guix has quite recent packages, similar to Arch.
Now I use Arch less and less.
Is Guix the GNU approach to NixOS?
So if nixos is the new I use arch btw is guix the new I use nixos btw?
Lol
Yes! And everything is based on hashed source code - this guarantees long-term reproducibility, avoids vendor-lock-in with proprietary binaries and drivers (and that’s why some companies hate it), but above all makes much easier to inspect what is in a package.
Interesting, unfortunately I still rely on proprietary binaries but I could try it on a secondary device. Reproducibility is one of the reason I chose to learn NixOS.
The issue with Arch is that they have like no packages at all. You’re more or less forced to use the AUR. Which is not something I would recommend to anyone. Which is also why I don’t recommend Arch to anyone. :D
Unless something changed in a big way in the last few years, that’s not really true. When I was running arch, I had maybe a dozen AUR packages installed, none of which I would consider essential. And yes: I was one of those weirdos who would actually take a good look at the pkgbuild diff before installing an update.
Minimizing the chance of malware being spread through their means.
Right. And there is another angle to that: It is far easier to turn an ecosystem into a breeding ground for malware, than to get rid of it again. Once a system has a reputation to be easily hackable, it attracts malware like spoiled meat attracts flies.
TLDR: Open package repositories without some approval and oversight system, like AUR, will have even more problems in the future due to advanced coding AI and malicious
foreignhackers.Edit: Please normalize TLDR’s on bot posts with just a link.
Edit 2: I have been rightfully informed that this is not a bot post. I still think links should not be posted without a tiny abstract, one might say: a TLDR.
I have also been informed that the text does not spell out “foreign”. This is correct. The text does say
Not all of the packaging issues are as bad as the initial wave of trying to steal credentials, some are just adding ridiculous messages in Russian.
This implies but does not establish the nationality of attackers. While Arch has contributors from all over the world, it is commonly cited as being a Canadian distribution (example, see below). https://distrowatch.com/table-mobile.php?distribution=arch
AUR is still working as intended. It’s basically a public wiki of shell scripts, it was never intended to be secure in the first place. It has always been the user’s responsibility to review everything or avoid using it.
“Foreign hackers”
Foreign to who?
The article never said “foreign”, you made that up.
I guess if youre not from the US theyre “foreign”
I remember the good ole days when nobody cared enough about Linux to spread malware to it. Sigh. All these techbros that need to j their d to their power trips, dystopian surveillance, and shitty AI companies have probably started this. I even noticed a Linux hate sub on Lemmy. Imagine there being enough people forced to use Linux to create a hate community where they favor Microslop. Such strange times we live in.
Time to GNU/BSD become a thing
OP is not a bot
Then they should’ve included a short TLDR even harder
No, normalize forcing users to click the link and read the full text.
It’s a very short text
The command
pacman -Qmwill display every package from the AUR on your system. You can then search the list of compromised packages.To be clear, -Qm displays installed packages not currently in the repositories. This will include AUR packages, but I avoid the AUR (except for davmail years ago) every once in a while I’ll run it just to check and sometimes it finds packages.
When you install things from the main repos the dependencies get installed too, and if those dependencies are no longer needed they’ll be removed from the repositories. (I also have a bad habit of forgetting --asdeps when installing optional dependencies.) Sometimes they’ll conflict with a new dependency and pacman will ask to remove and replace them, but other times the functionality has become a part of an existing package, so with no conflict to prompt removal they’ll just sit unused on your install. If you haven’t tried -Qm in a long while you’ll probably find a few harmless currently-unused packages that were installed through the normal repos. (-Qdt will cover the other cases where dependencies remain in the repos but are now only needed for packages you don’t have installed.)
Obviously -Qm will also show removed packages that aren’t dependencies, a few years back my preferred pdf viewer was removed from the repositories.
-Qm will also find manually installed packages that aren’t in the AUR if you ever do that.
And don’t forget that a system compromise means you need to re-install all in order to re-gain control of your system. Without the malware of course.
Edit: I see downvotes… Some people don’t seem to understand why running malware permanently destroys a system’s integrity. I do not have more time today - can somebody explain for me why?
You can then search the list of compromised packages.
Or just uninstall all AUR packages, instead of waiting for your ones to appear on that list, and having to re-install your full system to ensure its integrity.
Here are some scripts that can help too
(Edit: apparently i need to say to read and understand what these scripts are doing before running them. If you don’t understand what you’re running then don’t run them) https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14
You suggest people to run more untrusted code in order to fix malware from untrusted code?
Is this a joke?
I haven’t checked the scripts from OP, but i think there is a script that is provided by the CachyOS team that basically just contains a list of compromised packages and compares that to your pacman -Qm output. If it finds a match, it tells you that the compromized package X is on your system. That seems pretty reasonable.
I get your point and as always, you should check the source of the script as well as the code inside of it. Never installing anything outside of official OS repositories is probably not an option for most people. There are always pros and cons. Like in my example maybe some OS maintainers know more about the affected packages than I do with a quick search. On the other hand, the script might be outdated because the number of packages changed a lot over the last few days.
but i think there is a script that is provided by the CachyOS team that basically just contains a list of compromised packages and compares that to your pacman -Qm output.
So, the CachyOS maintainers suggest running untrusted code?
Noice. I don’t need to know more.
They are the source of the code… They are a trusted source so the code… Is trustable code.
How are you this fucking stupid. Or do you think the cachy team is a bunch of bad actors? At which point HOW ARE YOU THIS STUPID?!
In which way is it untrusted? If you use CachyOS, you use their binaries, that could contain anything at all inside of them. Do you draw the line at a shelll script you can read yourself?
You can just check it and it wouldn’t be untrusted anymore…
You could inspect the script, it should be a one line shell command
I don’t use CachyOS nor do I know anything about their team and I haven’t used the script either. My point was just that I would trust OS maintainers more than some random guy on the internet.
I have checked again and it seems the script I was referring to was actually from a mod on their community forum. Not sure if this is a maintainer as well or not.
My point still stands, if you trust the source and checked the code that nothing shady is going on, it is perfectly fine to run a script. Even if it is just an additional check after you cleaned it manually. Maybe you have missed something.
You are right that the distribution as it provides binary code is a trust root. If you can’t trust them, you have nothing to stand on.
I had the impression that CachyOS suggests to use AUR packages - maybe I am wrong here?
And if CachyOS is (what I am just assuming) geared towards less technical users, can you really expect their average user to examine shell scripts from a forum post?
How do their users even know that the post and its author is legitimate? Are they supposed to check PGP keys?
You can call that paranoid but there is a reason why distributions use packkage signing, publish webs of trust, and why the Guix developers even worked hard to reduce the binary bootstrapping code for the distro down to 512 bytes - it is a consequence of the “trusting trust” problem posed by Ken Thompson that the more stuff is opaque, the more trust is needed.
I have no idea about the stance of CachyOS on AUR packages.
I totally agree with you, establishing trust is not an easy problem. I don’t expect the average joe to understand shell scripts. I would put myself in that categorie as well. This one however was simple enough that it seemed okay to me. If I don’t understand what’s going on in a script I am really careful and try to avoid it, if possible. I still wouldn’t consider them universally bad. For some things it is even the recommended install option. I vaguely remember some things in the Raspberry Pi universe ( IIRC this was even the case for Docker in the past).
There are multiple factors which can lead to trust. Maybe you know the CachyOS forum and how well it is maintained. How old is the account etc… But as you said, there are always risks. The account could be compromized as well. But most of that isn’t specific to shell scripts or Linux in general. You shouldn’t install an application from some shady website in Windows either.
What is your recommended way to deal with the current situation?
Is it best to uninstall all the supporting files too. Semes like there is an option to do that.
I had more aur packages than I thought but none in the list. Is this just known ones and there could be more?
Of course. A compromised package can’t be on the list if it’s unknown. Hopefully not, but there’s still a possibility
But why? Arch isn’t a server distro and their users usually know how to keep their secrets save. A FUD campaign?
Sometimes it’s as simple as “because they can”.
They can do this so they did. Its likely no deeper then that.
I kinda doubt that people who think AUR is a good idea are good at keeping their credentials secure.
Then you also think the whole bunch of source-based distros (LFS, Gentoo) is a bad idea?
AUR is community-maintained packages intentionally designed to shift security responsibility to users. Without pre-installation vetting, meaning anyone can submit anything on there, making it perfect for malware distribution.
Of course all code is visible for inspection, community voting exists, and malicious packages can be reported and removed which limit malicious action.
But now we have LLM that can generate (and distribute) malware and do pretty good code obfuscation so I am not convinced by this model. Honestly I never felt comfortable using AUR (so I avoid it) because I’m not technical enough to review all the code my machine runs.
No, I don’t think those share AURs glaring security problems.
Is the Chaotic-AUR a viable alternative? As I understand, there is some level of review.
