this post was submitted on 12 Jun 2026
216 points (99.5% liked)

Linux

13955 readers
583 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
216
Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages (linuxiac.com)
submitted 1 day ago by cm0002@lemy.lol to c/linux@programming.dev
63 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Feyd@programming.dev 45 points 23 hours ago (2 children)

The AUR is kind of a trap. It can be useful but it has the warnings it has for a reason. Maintainers are not vetted so you depend on them both to be benevolent and competent and neither are reliable.

No one should really use it without taking the time to understand pkgbuild but you have people recommending AUR helpers like yay and tying AUR updates to regular system updates which is a terrible idea

[–] victorz@lemmy.world 7 points 20 hours ago

paru always shows you the diff of the PKGBUILD on upgrade, so no need to worry about adding it to an alias that does both.

In fact, just running paru is the same as running

pacman -Syu
paru -Sau

At the end I review the PKGBUILDs and make sure everything looks reasonable. Usually it's just new source hashes, but not every time.

[–] somegeek@programming.dev 2 points 22 hours ago (1 children)

What do you mean by "tying AUR updates to system updates" ?

[–] RepleteLocum@lemmy.blahaj.zone 8 points 22 hours ago (1 children)

As in updating the AUR when you update your system packages, which come from known sources.

[–] hoppolito@mander.xyz 8 points 21 hours ago* (last edited 21 hours ago) (3 children)

And just to be very explicit why this is an issue: each time the package is upgraded through an automated update, the PKGBUILD may change (e.g. to adapt to different dependencies, file structure, etc introduced with new app version).

That also means an AUR maintainer can smuggle in malware with any of those updates, even if you checked the original PKGBUiLD when you installed. And, anyone can request taking over maintenance for unmaintained packages, so it can even happen if the original maintainer was benevolent.

Always check PKGBUILD files on upgrade, even if just a glance. If I remember correctly yay had a function to always show you PKGBUILD diffs before updates, not sure if that was automatically enabled.

[–] brucethemoose@lemmy.world 2 points 5 hours ago* (last edited 5 hours ago)

Paru shows them by default, and it’s basically impossible to disable.

It is a little too easy to skip past it, though.

[–] jcarax@beehaw.org 1 points 6 hours ago

Yeah, it's never sat very well with me. I've gone through cycles where I'll use a good bit of AUR, to none at all. I had been using a handful of things, but realized that almost all of it was Python stuff that I could more safely install with pip or uv, so I've migrated all of that. The one thing left is Manuskript, and it hardly gets updates anyway.

[–] victorz@lemmy.world 7 points 20 hours ago

Paru shows you the diffs by default.

I just run paru when I do system upgrades. Very convenient to have one command doing everything in a somewhat safe way.

Of course, inspecting the PKGBUILDs still doesn't protect us from having the actual software repositories compromised. Just because only the source hash changed doesn't mean the software doesn't have malware now.

That's where I draw the line regarding trust. I don't feel like going into to each release of each AUR package I have installed to check code to see if malware was injected. 😅