MyNameIsRichard@lemmy.ml
on 01 Aug 15:11
nextcollapse
The malicious packages were found and removed quite quickly. Also anyone who doesn’t blindly install from the AUR would have seen a suspicious .lol url. I suppose that a genuine package using a .lol url isn’t impossible, it’s just very unlikely,
These attacks do demonstrate the strength and weakness of the AUR, that anyone can upload anything at any time. The same as flathub and the snap store. Treat all of them with appropriate caution.
That sounds like a nice feature we could use for the Aur actually. We already have the votes value, but some sort of verification body could help rescue the Aur’s reputation.
Seriously. It’s technically true that there was a RAT on the AUR but the way it’s titled is written to intentionally invoke times where it was more than one thing.
I think it’s a good thing to frighten users just a little bit. Arch is no longer a niche distro and it was only a matter of time before someone took advantage of the generally unvetted AUR. It’s a wake-up call that the times of good faith are gone and you need to pay attention.
Just standard clickbait, but sounds more serious because we understand the extent to which they’re going out of their way to bend and withhold the facts.
h4x0r@lemmy.dbzer0.com
on 01 Aug 16:01
nextcollapse
Installing from AUR without reviewing the PKGBUILD is a self pwn.
LeFantome@programming.dev
on 01 Aug 18:22
nextcollapse
It is a well known risk but not something that was a real risk numerically. I mean, it still isn’t given the number of packages in the AUR.
This is a couple of malicious packages discovered in a short period though. Not a good sign. It was really impact the AUR if polluting it with malware became common.
You should always inspect AUR packages before installing them but few people do. Many would not even know what they were looking at.
electric_nan@lemmy.ml
on 01 Aug 21:45
nextcollapse
Me, a hacker, targeting anyone who says they use Arch btw.
mugita_sokiovt@discuss.online
on 02 Aug 00:29
nextcollapse
This is why I just use the Chaotic AUR, knowing that something like this was being posted everywhere. My producer, Neigsendoig, does the exact same with his machine.
I saw two pkgbuild from the user, I don’t really know what I’m looking at in pkgbuilds generally but these were dead obvious something was bogus . downloading arbitrary files from some url like (segs)(dot)(lol) hopefully sufficiently defanged
Yes but thats not relevant. Its like me saying windows users dont use the AUR and then you saying um actually im on windows and I run arch in a VM and use the AUR. Like ok thats still the AUR being used on arch.
Like the topic is AUR malware and someone was like arch users and steamOS users. But steamOS users dont need to be worried or lumped in because they aren’t using the aur unless they’re also using arch through vm or distrobox or whatever.
threaded - newest
The malicious packages were found and removed quite quickly. Also anyone who doesn’t blindly install from the AUR would have seen a suspicious .lol url. I suppose that a genuine package using a .lol url isn’t impossible, it’s just very unlikely,
These attacks do demonstrate the strength and weakness of the AUR, that anyone can upload anything at any time. The same as flathub and the snap store. Treat all of them with appropriate caution.
Flatpak does have a concept of Verified Publisher. Many distros ship flatpak app store with default filter set to Verified Publisher only.
That sounds like a nice feature we could use for the Aur actually. We already have the
votesvalue, but some sort of verification body could help rescue the Aur’s reputation.Also, if your distro doesn’t do this, you can do it yourself. You can modify, for instance, KDE Discover’s flathub repo to use the verified subset.
I feel like these headlines are designed to be way scarier than the scenarios actually are to people that don’t know much about Arch Linux.
Seriously. It’s technically true that there was a RAT on the AUR but the way it’s titled is written to intentionally invoke times where it was more than one thing.
true and part of me suspects that it’s intentional on the part of arch users so that they can continue to tell the world that they “use arch btw” lol
I think it’s a good thing to frighten users just a little bit. Arch is no longer a niche distro and it was only a matter of time before someone took advantage of the generally unvetted AUR. It’s a wake-up call that the times of good faith are gone and you need to pay attention.
Just tell them to read the arch wiki page on AUR and take it seriously, IMO
Your opinion sucks and isn’t going to be enacted by most users.
Instead of someone accidentally ruining your pc, they intentionally ruin your pc!
Just standard clickbait, but sounds more serious because we understand the extent to which they’re going out of their way to bend and withhold the facts.
Installing from AUR without reviewing the
PKGBUILDis a self pwn..
It is a well known risk but not something that was a real risk numerically. I mean, it still isn’t given the number of packages in the AUR.
This is a couple of malicious packages discovered in a short period though. Not a good sign. It was really impact the AUR if polluting it with malware became common.
You should always inspect AUR packages before installing them but few people do. Many would not even know what they were looking at.
.
God I hate those. The worst way to distribute apps.
.
The problem is Arch doesnt package everything
Me, a hacker, targeting anyone who says they use Arch btw.
This is why I just use the Chaotic AUR, knowing that something like this was being posted everywhere. My producer, Neigsendoig, does the exact same with his machine.
We both use CachyOS anyway.
I saw two pkgbuild from the user, I don’t really know what I’m looking at in pkgbuilds generally but these were dead obvious something was bogus . downloading arbitrary files from some url like (segs)(dot)(lol) hopefully sufficiently defanged
Man, we’re gonna have to change the name of the AUR because bad journalists keep thinking this has something to do with the distro.
“Arch Linux Users who go out of their way to install RAT at risk of installing RAT”
Is AUR more risky than before? Nope. But this targets more people than ever. StreamOS and CachyOS are pretty popular these days.
This is the most likely reason why all of sudden there is an uptick in attempt to embed malware in AUR build scripts.
SteamOS users dont use the AUR.
I use it from a distrobox.
Using the arch distro right?
Yeah, was using vanilla arch before my desktop stopped working. My deck with a dock works, but discover was inadequate.
Yeah but thats not really steamOS using the aur.
SteamOS using the aur would be unlocking the root folder, doing a pacman update and then using the AUR which I assume very very few users do.
I only mention this because everytime arch is mentioned steamOS gets dragged up as if its the same thing when they’re worlds apart.
Using the AUR via distrobox can be done on every distro.
Yes but thats not relevant. Its like me saying windows users dont use the AUR and then you saying um actually im on windows and I run arch in a VM and use the AUR. Like ok thats still the AUR being used on arch.
Like the topic is AUR malware and someone was like arch users and steamOS users. But steamOS users dont need to be worried or lumped in because they aren’t using the aur unless they’re also using arch through vm or distrobox or whatever.
Am I making sense?
This not yet scary, scary starts when malicious actors take over orphaned AUR packages…