| ▲ | mcv 3 hours ago | |||||||
It's still surprising someone was able to infect so many packages. But I admit I don't really know how AUR works. Can anyone with access simply update anything? Do packages not have owners who check contributions? | ||||||||
| ▲ | jorams 2 hours ago | parent | next [-] | |||||||
Packages in the AUR have some number of maintainers. When a maintainer no longer wants to maintain the package they can disown it, and when all maintainers do so the package becomes orphaned. An orphaned package can then be adopted by any user. At any time there's a large number of orphaned packages in the AUR, and the attacker(s) targeted those. | ||||||||
| ||||||||
| ▲ | embedding-shape 2 hours ago | parent | prev [-] | |||||||
> But I admit I don't really know how AUR works It's basically GitHub (in terms of "User's generated content") but tailored and specific to Arch/Arch-derived distributions. Packages have owners, but everything is very "freeform" in general on the AUR. It wasn't uncommon you could be added as a maintainer by just sending a mail to the current maintainer, since it's basically "Hey let me contribute to your repository" (simplified), today people keep track a bit better and avoided that I've seen. But still, it's on a individual basis. Just like GitHub, AUR is completely devoid of peer-reviews, users uploads their own PKGBUILD and share with others, and the expectation is that users review stuff before they install it, just like on GitHub, or just like on the internet in general. | ||||||||
| ||||||||