Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Havoc 4 hours ago

As I undertood it this was mostly orphaned packages?

Shank 4 hours ago | parent | next [-]

That's correct, orphaned packages could be adopted seemingly automatically, so someone did and then published malware in bulk.

beej71 2 hours ago | parent [-]

This makes me want to adopt more packages. Lots of the orphans barely need updating.

gbin 4 hours ago | parent | prev | next [-]

Yes and honestly super kudos to paru's creator for the nagging warning about installed orphan packages that made me remove them immediately.

So with a dozen of various systems running arch/cachyos for various purposes, 0 impact.

We seriously dodged a bullet though, should we have some kind of AI spotting shady activity before it hits the userbase?

ajross 4 hours ago | parent | prev [-]

Not even "packages" in the distro sense. You can't use software installed with Arch to install this stuff via any path that isn't isomorphic to rebuilding the package yourself.

This was the AUR repository, which is the community-maintained soup of non-distro packages. They're packaged using the same tools and technology, with the intent that they can be easily validated and promoted to core stuff in the future. But they aren't really "Arch Linux". You need to deliberately enable and install tools to pull stuff from it.

Think of this as Steam or Chrome. You can install those on Arch, and people do, but if Chrome extensions or Steam games suffer an incident like this you don't blame the distro.

cge 2 hours ago | parent [-]

> They're packaged using the same tools and technology, with the intent that they can be easily validated and promoted to core stuff in the future.

That's perhaps the intent ideally, but in practice, it feels like AUR tends to be (a) niche, esoteric things that will never be anywhere outside of AUR, even if they could, or (b) installation methods for proprietary/otherwise non-open packages that can't be.

The latter seems to a major popular use of AUR: sorting packages by popularity or votes comes up with lists that seem to be mostly these. And that's likely a significant draw for non-technical users. If you want to install things like Dropbox, Chrome, VS Code, Minecraft, Zoom, Slack... they all show up in AUR. By their nature (usually extracting packages from upstream installation methods), they tend to be more complicated than generic AUR packages. They are also often quite a bit more convenient than using the upstream packages, which might not interface well with Archlinux, might only be available with installation methods that clobber things, might be deb/rpm only, etc.

I wonder if it would make sense to have a more trusted/vetted repository of these sorts of scripts, separate from core repositories but also not as free-for-all as AUR. That might go a long way toward keeping non-technical users from being drawn to AUR.