Linux

13955 readers

583 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

216

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages (linuxiac.com)

submitted 1 day ago by cm0002@lemy.lol to c/linux@programming.dev

63 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] iltg@sh.itjust.works 1 points 2 hours ago

the diff is noise in the potentially big update log. the point of doing it manually is forcing you to take your time and verify stuff one by one. also pkgbuild is just one place, seeing the hash changed means nothing if you don't check what that archive contains, or seeing the install steps don't change mean very little when the installer invokes other scripts anyway

i understand that you aren't going to vet the source itself, but at that point you are exposing yourself to this kind of malware without mitigation. the aur is unsafe by design (fast way to publish a package without any involvement from anyone else) and should be avoided whenever possible. im not an arch hater, i too run arch