Arch Linux - News: Active AUR malicious packages incident
archlinux.org

We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.

We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following:

  • Creating new accounts on the AUR
  • Pushing package updates
  • Adopting or creating new packages

We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.

  • red_giant [comrade/them, he/him]@hexbear.netEnglish
    6·
    3 days ago

    Review costs money and is slow, meaning vulnerabilities that already exist persist for longer before being patched.

    This is a real double-edged sword for open source. FOSS as a software supply chain relies on trust and identity.

    Review doesn’t fix this problem. You can increase security of incoming code at the expense of decreasing security of existing code by virtue of slowing down the response-time to existing security threats. The social architecture of code distribution is the vulnerability here.

    Ultimately, arch can’t take ownership of all the code that is possible to install on arch.

    AUR makes it clear that packages there are not vetted. You’re trusting the developer and the developers security practices.

    • chgxvjh [he/him, comrade/them]@hexbear.netEnglish
      2·
      3 days ago

      Supply chain attacks are a bigger risk than a bit slower patches.

      Of course the reviews would need to be a community process. Might not be a big difference to the regular arch repo then. I think shutting down AUR is a legit option worth exploring.

      • red_giant [comrade/them, he/him]@hexbear.netEnglish
        5·
        3 days ago

        Shutting down AUR is a legit option for sure but it’s not convincing it would solve much.

        You can always just not install packages from AUR if you’d prefer to be immune to the threat.

        Debian is beginning to enforce reproducible builds which is a great step. Requiring source repos to use signed commits would be another.

        Supply chain attacks is not a problem that can be erased but the idea that I cannot install a patch for a critical vulnerability because I’m waiting for community-review seems extreme as well. And who is to say that community review is immune to hijacking anyway?

        If you want professionally vetted code and you also want a library of installable packages then really you want Mac OS and the Mac App Store.