| This is like saying a user who clone a random git repo is not to blame and git-scm should do more to prevent cloning of malicious repos.
If it is not official, it is your job to review, if you dont like it, use iOS instead of Arch Linux. If you crash your car, you are liable for the accident. If you aren't ready for that, take the bus. More power = more responsibility |
| |
| ▲ | matheusmoreira 3 minutes ago | parent | next [-] | | Nothing is "disguised" here. These aren't official repositories and that fact is painfully clear. Arch Linux takes enormous pains to warn users to do their due dilligence before installing things from the User Repository. The wiki even cites previous instances where malware was discovered in the packages. | |
| ▲ | zeta0134 2 hours ago | parent | prev | next [-] | | They *are* doing the basic housekeeping. What do you think this announcement is, if not exactly that? AUR is very clearly documented as user-submitted, and automatic installs from it are heavily discouraged by the maintainers for this reason. Malware aside, there is very little quality control, and a poorly made AUR has the potential to break the system pretty badly. (Though, in my experience, most of the useful AUR packages are trivial to remove if something goes wrong.) The officially maintained repositories (which are part of a default installation) were not affected. Users need to go somewhat out of their way to use an AUR. The definition files are all plain text and not especially complicated. It's not too difficult to glance at the file before doing an install to get a basic idea of what it's about to do, just like you should do when running a random shell script or cloning a random git repo. Indeed, most AURs are implemented by cloning an upstream git repo and configuring it so it can be built. The same basic threat model applies: Do you trust the install script? Do you trust the upstream URL whose code it is about to compile? | | |
| ▲ | a-dub an hour ago | parent [-] | | i read all the pkgbuild diffs, still doesn't give me a good sense. sure, i can verify that it's coming from the official repo but even then there's no guarantee that there isn't junk in there or that the git ref is actually pointing at the right thing. it would be better if there were stronger community moderation and review that has stamps i can trust rather than this idea that eyeballing build scripts is a reasonable security posture. | | |
| ▲ | embedding-shape an hour ago | parent | next [-] | | > it would be better if there were stronger community moderation and review that has stamps i can trust rather than this idea that eyeballing build scripts is a reasonable security posture. Ok, so instead of having a reasonable security posture yourself, you'd rather rely on a number of random strangers who've eyeballed the PKGBUILD instead? Generally, I think Arch tries to prevent users from relying on bad signals, and this principle might be applied here too. > i read all the pkgbuild diffs, still doesn't give me a good sense. sure, Do you have an example of a diff that doesn't give a good sense? I review all my diffs too, but I feel like all of them give me a good sense if it's safe to install or not. I mean, why would I otherwise, what's the point in reviewing if you don't use it to make a decision if to install it or not? | |
| ▲ | zyuiop an hour ago | parent | prev [-] | | Well ArchLinux has a product for you if you want packages that were vetted: the official repositories.
AUR is just a centralized place to put user created packages, like npm is a place to put user created node packages. |
|
| |
| ▲ | Hackbraten 2 hours ago | parent | prev [-] | | > these are packages PKGBUILDs are not packages. They’re (user-contributed) instructions on how to build packages. > available through the OS's repos. No. The AUR is a platform, similarly to NPM or PyPI, that allows users to upload PKGBUILDs. It is not part of “the OS’s repos,” and it says that loud and clear, multiple times, including on the front page. | | |
| ▲ | naturalmovement 2 hours ago | parent [-] | | [flagged] | | |
| ▲ | embedding-shape 2 hours ago | parent | next [-] | | You seem to have a wild misconception of what the AUR actually is. It'd be more like a public toilet anyone could urinate in, and you lick the floor right next to the toilet and then is surprised that it tastes like pee. Of course there is pee on the floor, anyone can pee there! | |
| ▲ | 2 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | neoCrimeLabs 2 hours ago | parent | prev [-] | | Better analogy would blaming a supermarket that hosts an outdoor farmers market because you contracted food poisoning from a stand owned by someone else - NOT for buying food from within the supermarket itself. Meanwhile one of the other customers has norovirus and is deliberately touching everything so others contract it. |
|
|
|
