Arch Linux - News: Active AUR malicious packages incident
archlinux.org

We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.

We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following:

  • Creating new accounts on the AUR
  • Pushing package updates
  • Adopting or creating new packages

We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.

  • TheModerateTankie [any]@hexbear.netEnglish
    2·
    12 hours ago

    This is one of the reasons why I prefer the user/sandbox model of something like the “atomic” distros or flatpak, despite some occasional annoyances with privileges. If you use a traditional package manager everything in the repository gets installed as root and has access to everything on your computer. Most of the desktop software people use probably doesn’t need to be installed at the root level. Generally not a problem when the software is reviewed and maintained by a competent distro, aside from cases like XV utils, but adding repositories or using something like the AUR elevates the risk. At the very least it seems like AUR should be sandboxed and/or installed as at the user level only by default. I dunno, maybe this new exploit would still be a problem if that were the case, but it just like an obviously flawed paradigm people have just accepted because linux malware has been relatively rare compared to windows, and adding security layers are a hassle.

    • AssortedBiscuits [they/them]@hexbear.netOPEnglish
      2·
      12 hours ago

      It’s definitely exciting times. I don’t like how the AUR is toted by the Arch community as something that makes Arch stand out compared with other distros until something like this happens then it’s “Well, you should only use the AUR if you know what you’re doing. Arch is explicit about how the AUR hasn’t been vetted, so you can’t pin this on Arch. Caveat emptor.”

      • TheModerateTankie [any]@hexbear.netEnglish
        2·
        6 hours ago

        It’s wierd that it’s so heavily promoted to new users these days. “Just read all the notes before you update, bro” on a system that constantly updates…

  • chgxvjh [he/him, comrade/them]@hexbear.netEnglish
    5·
    3 days ago

    We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time.

    How about some sort of QA/review process? Otherwise I would honestly just shut down AUR. It’s not a good idea and I’m surprised this hasn’t happened a lot more often already.

    • red_giant [comrade/them, he/him]@hexbear.netEnglish
      6·
      3 days ago

      Review costs money and is slow, meaning vulnerabilities that already exist persist for longer before being patched.

      This is a real double-edged sword for open source. FOSS as a software supply chain relies on trust and identity.

      Review doesn’t fix this problem. You can increase security of incoming code at the expense of decreasing security of existing code by virtue of slowing down the response-time to existing security threats. The social architecture of code distribution is the vulnerability here.

      Ultimately, arch can’t take ownership of all the code that is possible to install on arch.

      AUR makes it clear that packages there are not vetted. You’re trusting the developer and the developers security practices.

      • chgxvjh [he/him, comrade/them]@hexbear.netEnglish
        2·
        3 days ago

        Supply chain attacks are a bigger risk than a bit slower patches.

        Of course the reviews would need to be a community process. Might not be a big difference to the regular arch repo then. I think shutting down AUR is a legit option worth exploring.

        • red_giant [comrade/them, he/him]@hexbear.netEnglish
          5·
          3 days ago

          Shutting down AUR is a legit option for sure but it’s not convincing it would solve much.

          You can always just not install packages from AUR if you’d prefer to be immune to the threat.

          Debian is beginning to enforce reproducible builds which is a great step. Requiring source repos to use signed commits would be another.

          Supply chain attacks is not a problem that can be erased but the idea that I cannot install a patch for a critical vulnerability because I’m waiting for community-review seems extreme as well. And who is to say that community review is immune to hijacking anyway?

          If you want professionally vetted code and you also want a library of installable packages then really you want Mac OS and the Mac App Store.