The AUR is, as many others have pointed out, a deliberately un-vetted pile of random Git repos. Arch deliberately doesn't even ship with a default one-click installer for AUR packages; their published guidance is "git clone this stuff from wherever it's hosted and build it at your own risk". Plenty of third-party, non-Arch-blessed tools turn that into a one-click process, but it's not "part" of Arch itself--at least not any more than, like, curl | bash or directions on how to add rando websites to /etc/apt/sources.list.d is part of Debian and friends.
I've used Arch as a daily driver for years. At peak, I've had five (5) total packages, with no transitives, installed from the AUR. Today I have one: sublime-text-4. It's perfectly possible--and extremely reasonable for many users, even power users--to live in an AUR-less world, or to use so few AUR packages that the guidance of "read what you're installing, doofus" is manageable and not onerous.
I would never use anything equivalent to AUR on any distro due to the obvious security implications. That’s been my position for as long as I have known about Arch. I never understood Arch users using the AUR as a selling point for the distro.
Then again I live in the opposite end of the spectrum where I run only Debian Stable on my Linux desktop as well as my servers, where packages make it through Sid and Testing before getting to Stable and I can be relatively sure any supply chain attacks have been caught by then (like xz for example which was caught before it left Sid).
For those unfamiliar with Debian, Sid is basically a rolling release similar to using Arch with the official repositories (which is already dangerous without even touching the AUR), then packages move to Testing, then later eventually make it to Stable.
With opensuse official packages also use the same infrastructure. It is actually quite fascinating and powerful. (I know a lot less about COPR but I would imagine it would be equally as good. Wezterm switched to that for its packages)
But let's hope we get this solved, like peer review model, vouch, or something
It is very good to be able to find build/install files for everything
I have many opinions regarding this situation, but it mostly doesn't matter. AUR staff and AUR helper developers will figure out what they want to do, hopefully they will find a good approach.
But what I personally take away from this is simply that it has become worth it to target desktop Linux with malware. Or at least, moreso than previously. It is perhaps a good sign in some ways that the desktop is starting to be taken more seriously.
The bad news, of course, is that the Linux desktop is a bit of a train wreck in terms of security hygeine. It's getting better, and Linux does have the advantage of having some powerful primitives to exploit, but the desktop suites come from a totally different world, and I fully expect we'll also see more malware propagated through KDE's New Stuff integration (which goes through Pling.)
In general things that are not part of your distro's supported repos (KDE's AUR, language package installers like npm and pypi, Ubuntu PPAs, etc.) seem to present far more of a risk.
Absolutely the wrong conclusion:
1. This is a super low hanging fruit attack
2. The ROI is significantly higher than the cost of attack
3. The cost of the attack is now drastically reduced due to LLMs (not that they necessarily mattered here but hard to rule out).
It’s less about the Linux desktop where Ubuntu is dominant and more that Arch security is so bad regarding how they maintain the AUR. Seriously it’s worse than Swiss cheese in terms of putting up roadblocks.
I still don't understand what people expect Arch to do here? It's a user-contributed repository open for anyone, Arch maintains their own official repositories that are separate from AUR, what would need to change in the maintenance of the AUR for you to consider it to be "properly run" or whatever, and it doesn't stop serving its core purpose anymore: to allow any user to upload any PKGBUILD?
If you're advocating for not allowing users to upload their own PKGBUILD anymore, then it stops being the AUR, and for the people who agree with that, they can already exclusively use the official repositories instead of touching the AUR.
In true Arch fashion, the security is up to you here, review stuff before installing 100% unknown and random 3rd party software from the internet, as always. If you don't want to review anything? Stick with official stuff, and you won't have issues.
> It's getting better, and Linux does have the advantage of having some powerful primitives to exploit, but the desktop suites come from a totally different world,
That said: the attacks on Snap and Flatpak are bound to be less interesting; it doesn't share the same mechanics that make AUR scary. I still hope that Linux infrastructure vendors work to come up with good ways to "raise the floor" in these cases.
I do not think this something you can escape by switching distro.
Ubuntu actually has first-party repositories with proprietary codecs.
Nixpkgs is a pretty comprehensive monorepo of packages with a more normal review process than the AUR, and it includes non-free software as well, plus the model with flakes for third-party stuff is that you trust individual publishers for their little repos rather than one giant grab bag repo of unreviewed content like the AUR.
RPMFusion for Fedora kinda has a similar profile, in that it's a shared repo for various things unsuitable for the main one, but it follows more or less normal Fedora packaging and review standards, doesn't it?
Supply chain attacks are possible everywhere and some distros have particular weaknesses, but the AUR really is pretty much uniquely bad here.
That being said, still one namespace. Once you add an overlay it can replace any package it wants.
It's also Gentoo so too hard for most people to figure out.
Namespacing is the solution, and as mentioned in the article some ditros do indeed have namespaced user repos, like Fedora's Copr. The trust model of a flat namespace user repo is completely broken when the maintaining user can change at any moment.
OBS is more like Ubuntu's Launchpad or Fedora's CO0R than the AUR. Random strangers can't take over the packages of others just because they go idle, and it's a bunch of separate repos, not one. Totally different trust model.
An Arch maintainer that I personally know once admitted that he rarely review upstream changes when bumping package versions. He only does that when the build breaks.
I can't blame him for what he did, since it's not reasonable to ask package maintainers to spend all their time on those stuff, especially in this "Age of AI" where more and more software are being aggressively refactored (or rather rewritten) and added more features.
What we can do is choosing a stable distro (like Debian) where packages are more thoroughly reviewed, and apply security practices (such as TOTP, sandboxing browsers and video players, etc.) even though they cause inconvenience.
If you distribute an update that has malware, that is you publishing malware.
Cool story bro. Assuming that's common, I have trouble understanding why Arch (non-AUR) is any more at risk than Debian--besides the latter being more popular and having more users/incidental testers, which is a real benefit if that's your goal, but has its own drawbacks (like older and known-vulnerable packages lingering for longer before updated releases are made available).
> it's not reasonable to ask package maintainers to spend all their time on those stuff, especially in this "Age of AI"
Aren't Debian and friends similarly at risk of this as well, then?
> security practices (such as TOTP, sandboxing browsers and video players, etc.)
I'm not sure if those are more or less prevalent on Arch; I know that many IDEs and GUI programs I've installed on Arch ran by default in Flatpaks or similar, and Debian/Ubuntu like Snaps, but I'm honestly not familiar with whether those ecosystems have significant and/or equivalent penetration in different distros.
Where are you drawing your conviction that non-rolling-release distro maintainers are doing a more thorough review of upstream changes?
> such as TOTP
What?
I know that for AUR there was a specific list of affected packages (that I checked, and haven't installed any of them), but I'm interested more in a general way. It could be from AUR, npm, or many other sources. Some malware could break and lock immediately the system, but other could stay there silent for months, so how to find out if there is any?
I haven't run an antivirus since I last used Windows 20 years ago.
Ultimately I'd say it depends on your risk profile, but using something to actively approve/deny network connections on your local machine, is a great start that'd defeat most of these simpler "exfiltrate information ASAP" malware that seems popular at the moment.
If you have a list of good CLI utilities, you could run them in a bash script (e.g., network-monitor.sh), which would run in the background, and then redirect the output data to another file (e.g., network-monitor.txt). The key concept here is "baseline" -- you need to know what normal baseline network activity looks like, so that you can identify anomalous behavior. The way to establish a baseline is to gather a lot of data from the system.
The following are a few useful command line utilities to use for a host intrusion detection system (HIDS) using a simple network monitoring bash script. However, I am not sure exactly how to tweak the options. Also need to find a way to check for data exfiltration:
-list open ports and processes that own them: netstat -lnp
-show open network ports: lsof -i; netstat -an | grep -i listen; netstat -nap
Then it would be relatively easy to write a python script with regex tools to parse the network-monitor.txt file, establish a baseline, analyze the data for patterns and search for anomalous behavior.
Besides network monitoring, there are other command line utilities you can use to check the system for possible intrusion, which you could run in a separate bash script as part of your Host Intrusion Detection System (e.g., hids-users.sh):
-show members of root group: cat /etc/group | grep root
-show users logged in: w #if you are the only user, you should not see more than one account logged in
-search for all accounts with UID of 0: grep :0: /etc/passwd #ideally there should be only one UID of 0 on the system, but attacker can create more.
-check that daemons who never log in have * or !, meaning no passwd: cat /etc/shadow
-look for orphaned files, possible sign of attacker temp account deleted: find / -nouser -print
-search for new user accounts that are not part of regular build: sort -nk3 -t: /etc/passwd #sort numerically third column (UID), colon delim (-t:)
EDITS: several small changes for clarity and also in response to comment below
That'd be the role of an IDS (Intrusion Detection System). Things like file signatures of your entire system being saved to another machine (for example an offline/airgapped one) beforehand (for example by plugging your main machine's SSD as a secondary drive on the airgapped one).
If you suspect shenanigans, you take your machine offline, you remove its SSD (your BIOS/UEFI is also a concern), plug it to your airgapped machine with the IDS: it compares all the files (binaries, config files, etc.)' checksums with the past ones.
It's a bit of a lost art but it could make a comeback seen what we're facing, now nearly on a weekly basis.
Some distros have a way to check for file integrity as part of the package manager: but you can't trust the infos coming from the machine itself if it's been compromised.
A bunch of common yay commands also return back the last updated time of a package thanks to https://github.com/Jguer/yay/pull/2846.
Nothing protect you from a `yay -S foo` install and its dependencies. So this is not a guarantee or enforcement of a minimum release-age.
Actually writing this reply I went ahead and pointed that out in an issue at: https://github.com/Jguer/yay/issues/2883
This confuses me - why would a proof-of-work anti-scraping system like Anubis prevent registrations?
This is not much, but it could deter some low effort adversaries.
Then set it in a loop on all the packages for a particular system, I don't have experience in package maintenance and would be curious what kind of issues would come up.
It's an interesting idea, not sure I'd recommend it broadly, but if someone told me they prefer to trust an LLM than third-parties I'd get it at least.
Some people (many of which don't even use Arch itself) have been treating and advertising it as something different. It's not a software distribution method meant for normal computer users.
This is a good thing, because the warning about checking everything you download from the AUR, which has always existed, is now actually "enforced". People respond to consequences.
Mitigation Tool: https://github.com/cookiengineer/antimiasma
Blog Post with details: https://cookie.engineer/weblog/articles/malware-insights-mia...
It is so sad that every goodwill eventually got enshittified as well.