"Review" them how? Read every single line of code before installing something? If it's a binary package, how do you do that? Make reproducible builds for everything you install? Move to from source distro? Putting this on users is not a tenable solution. There's room for common sense, but blaming the users for this is ridiculous

▲

jolmg 6 minutes ago | parent | next [-]

> If it's a binary package, how do you do that?

You find one that builds from source, or you still review PKGBUILD and friends and evaluate the reputation of upstream and its maintainers, or you simply decide never to install binary packages. Your policy is yours to decide.

> Putting this on users is not a tenable solution.

The alternative would be to not have an AUR. Archlinux has official package repos where packages are vetted. The AUR (Arch User Repository) is not that. The AUR is there to provide a greater variety of software than the official repos, and it does that by not incurring the cost of being individually maintained by Arch staff and developers. It's like github, but limited to repos with PKGBUILDs.

▲

yowo an hour ago | parent | prev | next [-]

This is like saying a user who clone a random git repo is not to blame and git-scm should do more to prevent cloning of malicious repos. If it is not official, it is your job to review, if you dont like it, use iOS instead of Arch Linux.

If you crash your car, you are liable for the accident. If you aren't ready for that, take the bus.

More power = more responsibility

▲

naturalmovement 44 minutes ago | parent [-]

Uh but this isn't random git repos these are packages available through the OS's repos. Why does the AUR even exist if not for malware distribution?

It's an uncontrolled free-for-all disguised as a watering hole. If they can't do the most basic of housekeeping it should not exist full stop.

▲

zeta0134 27 minutes ago | parent | next [-]

They *are* doing the basic housekeeping. What do you think this announcement is, if not exactly that? AUR is very clearly documented as user-submitted, and automatic installs from it are heavily discouraged by the maintainers for this reason. Malware aside, there is very little quality control, and a poorly made AUR has the potential to break the system pretty badly. (Though, in my experience, most of the useful AUR packages are trivial to remove if something goes wrong.)

The officially maintained repositories (which are part of a default installation) were not affected. Users need to go somewhat out of their way to use an AUR.

The definition files are all plain text and not especially complicated. It's not too difficult to glance at the file before doing an install to get a basic idea of what it's about to do, just like you should do when running a random shell script or cloning a random git repo. Indeed, most AURs are implemented by cloning an upstream git repo and configuring it so it can be built. The same basic threat model applies: Do you trust the install script? Do you trust the upstream URL whose code it is about to compile?

▲

Hackbraten 41 minutes ago | parent | prev [-]

> these are packages

PKGBUILDs are not packages. They’re (user-contributed) instructions on how to build packages.

> available through the OS's repos.

No. The AUR is a platform, similarly to NPM or PyPI, that allows users to upload PKGBUILDs. It is not part of “the OS’s repos,” and it says that loud and clear, multiple times, including on the front page.

▲

naturalmovement 35 minutes ago | parent [-]

[flagged]

	▲	embedding-shape 24 minutes ago \| parent \| next [-]
		You seem to have a wild misconception of what AUR actually. It'd be more like a public toilet anyone could urinate in, and you lick the floor right next to the toilet and then is surprised that it tastes like pee. Of course there is pee on the floor, anyone can pee there!
	▲	24 minutes ago \| parent \| prev \| next [-]
		[deleted]
	▲	neoCrimeLabs 20 minutes ago \| parent \| prev [-]
		Better analogy would blaming a supermarket that hosts an outdoor farmers market because you contracted food poisoning from a stand owned by someone else - NOT for buying food from within the supermarket itself. Meanwhile one of the other customers has norovirus and is deliberately touching everything so others contract it.

▲

kcyb 2 hours ago | parent | prev | next [-]

As an arch user, I would always skim the PKGBUILD file of AUR packages to see if they install the software they claim to install from official sources and if there's something obviously fishy.

▲

naturalmovement 43 minutes ago | parent | next [-]

The BSDs prevent this by never having allowed random jamokes to upload Makefiles into the ports system.

	▲	embedding-shape 26 minutes ago \| parent [-]
		Yeah, I've prevented this locally too by never building such a platform in the first place, always the best solution! Jokes aside and just in case, you do realize ports and AUR have two very different models? Ports is more similar to the official Arch repositories, which obviously doesn't suffer from the same problem, and AFAIK, there is no BSD-equivalent of AUR. BSD is cool and useful for lots of reasons, but comparisons based on misunderstandings helps no one :)

▲

echelon_musk an hour ago | parent | prev [-]

I'd be surprised if you did it as a Debian user!

▲

gchamonlive 20 minutes ago | parent | prev | next [-]

Ask an LLM to assess the package and do a web search for you. Nobody is installing tens of packages a day, you can take a few minutes to consider what you are installing. This isn't blaming the user, it's basic digital hygiene.

▲

t-3 2 hours ago | parent | prev | next [-]

An archlinux package build file is just a shell script. It's pretty easy to take a look and see if all the manifest info is right and it doesn't do more than ./configure; make; make install DESTDIR=$PKG or whatever. If you're building random software using random instructions from the internet and don't make sure they're not malicious, you only have yourself to blame when you catch something. Actually reading through the source files for vulns is something best left for automatic detection, checking the build script is basic.

▲

bethekidyouwant an hour ago | parent [-]

How is that relevant unless you read the make file?

	▲	embedding-shape an hour ago \| parent [-]
		If you don't trust upstream, a PKGBUILD from AUR is the least of your problem.

▲

clickety_clack 29 minutes ago | parent | prev | next [-]

It’s free lines of code on the internet that you are going out of your way to run on your own machine.

▲

embedding-shape an hour ago | parent | prev [-]

Lets take two real and random examples, and I'll share what I'd look for:

First, very easy one, we want to install Brave, so we find https://aur.archlinux.org/packages/brave-bin. All the dependencies are in the official repos already, so those we trust already, you open the downloaded PKGBUILD and you find it's downloading a binary from github.com/brave, you check to see it's the official GitHub profile/organization that you expect. Quickly scan prepare/package for anything out of place, like downloading more files not defined in "source" or whatever. In this case, "suid sandbox" stuff should make you investigate closer so you understand what that stuff does, many things related to Chrome has things like that. That AUR package also has a brave-bin.sh, so a look through that would make sense. AFAIK, everything checks out, this is literally just downloading the official release from GitHub, and extracts it into the right place, so if you trust the GitHub org/user, you can trust the PKGBUILD. The PKGBUILD also seems to be officially maintained by Brave themselves, so probably already there you can verify the AUR user and be done if you feel lax.

Second example is unofficial package, https://aur.archlinux.org/packages/lmstudio-bin, maintained by noureddinex and created by MadGoat, neither which seem official at a glance. Read through the comments to see if anyone else flagged anything, seems fine so again go read the source of the package and the PKGBUILD. PKGBUILD seems standard, downloads something from "installers.lmstudio.ai" so first thing to check is if that's actually the official website, so use search engine to find official website, copy the URL of the download, verify it's the same. In this case, lmstudio.ai is the real website, but download URL on website ends up being "https://lmstudio.ai/download/latest/linux/x64" in the HTML/DOM, so use "curl -v -L $URL" to see redirects, and then we've confirmed installers.lmstudio.ai is actually what they use for official releases. Read through "prepare" and "package", both seem standard and fine, then look through the rest of the files, all of them seem fine, mostly maintenance scripts for the AUR package itself. Package seems fine as a whole, and we could install it, if we're willing to review it again on upgrades in the future.

This is basically all you have to do. Writing what I did while doing it, made each "review" take maybe 5-10 minutes, and it isn't harder than that, regardless who the user is. You just need to know what to look for, and think how you'd "officially" install it anyways. And if what the PKGBUILD differs from what you'd imagine an "official install" would do, investigate if it makes sense and if not, don't install the package, maybe leave a comment for others in AUR to dive deeper.

	▲	xnzakg 4 minutes ago \| parent [-]
		Question is if this would be thorough enough for this attack? A package with a slightly more involved build process, maybe some patches because it was made to build on a different distro. Maybe you've already installed (and thoroughly inspected) it before, so you're only updating to a newer version, so you're not as thorough with your review. Or an xz-style backdoor.