Well, there are a lot of these packages going around the world all the time, and very seldom does anything like this happen. I just don’t want people thinking that FOSS isn’t safe.
Yeah, I admire the arch linux’s team transparency. A non-power user might see these news and think “linux is dangerous”, without thinking that windows and mac also have malicious programs that can be installed too.
I haven’t seem all packages, but some of them seem shady and with 0.0 popularity on the AUR, it’s already suspicious by itself. People gotta be careful when installing AUR packages.
Arch Linux says the AUR is just a collection of user scripts. Use at your own risk. Anybody can upload some shit. Always check the PKGBUILD before you continue. Never use so-called AUR helpers to automate the process to the point that you have less control, also wrt future updates and upgrades.
Then some Arch-based distros create AUR helpers and integrate them into their distro experience, even with automatic updates & upgrades and GUIs and whatnot. Some of these distros are very popular, even more so than Arch Linux itself, in the short term. This also contributes to the pollution of the AUR. Malicious hackers are never attracted to a less popular distro that requires its users to understand what they’re doing.
Blame those distros and all who contribute to AUR helpers, or tend to not read the PKGBUILD before installing - not the AUR itself.
Or make it so that the AUR has a modicum of security and not allow brand new accounts to adopt orphaned packages and immediately push out malware without any form or reviews, checks, or interventions.
If I copy paste a malicious script here and you run it without knowing/checking what it do, do you think your instance admin should also put more rules and restrictions for the whole instance? AUR is no different than github or pastebin. It is on the user to vet what script they are running. Arch already has a more strict and vetted repo by the maintainer. Having AUR be a vetted place has no real good solution because of easy botting.
It’s basically a public wiki of scripts, being editable by anyone is the entire point.
If you don’t want to run random scripts from random people, don’t use AUR.
That’s not what the AUR does. They simply provide a platform for users to share build scripts. There isn’t much they can do beyond trying to vet accounts based on flimsy metrics, or weeding things out every now and then.
The problem is that some people and even distros treat the AUR as a trusted source of software.
All user repositories (javascript, Python etc.) suffer from malware btw.; the AUR is different in that it explicitely puts the responsibility of building packages on the user.
Well, there are a lot of these packages going around the world all the time, and very seldom does anything like this happen. I just don’t want people thinking that FOSS isn’t safe.
Yeah, I admire the arch linux’s team transparency. A non-power user might see these news and think “linux is dangerous”, without thinking that windows and mac also have malicious programs that can be installed too.
I haven’t seem all packages, but some of them seem shady and with 0.0 popularity on the AUR, it’s already suspicious by itself. People gotta be careful when installing AUR packages.
I’m not saying it wasn’t safe, it’s just perhaps not quite as safe as some of the other ones.
What sort of standards are these packages built to?
Well, the packages are not supposed contain malware for a start.
For the AUR I think anything goes.
Well, cardboard’s out.
What happens is this:
Arch Linux says the AUR is just a collection of user scripts. Use at your own risk. Anybody can upload some shit. Always check the PKGBUILD before you continue. Never use so-called AUR helpers to automate the process to the point that you have less control, also wrt future updates and upgrades.
Then some Arch-based distros create AUR helpers and integrate them into their distro experience, even with automatic updates & upgrades and GUIs and whatnot. Some of these distros are very popular, even more so than Arch Linux itself, in the short term. This also contributes to the pollution of the AUR. Malicious hackers are never attracted to a less popular distro that requires its users to understand what they’re doing.
Blame those distros and all who contribute to AUR helpers, or tend to not read the PKGBUILD before installing - not the AUR itself.
Or make it so that the AUR has a modicum of security and not allow brand new accounts to adopt orphaned packages and immediately push out malware without any form or reviews, checks, or interventions.
If I copy paste a malicious script here and you run it without knowing/checking what it do, do you think your instance admin should also put more rules and restrictions for the whole instance? AUR is no different than github or pastebin. It is on the user to vet what script they are running. Arch already has a more strict and vetted repo by the maintainer. Having AUR be a vetted place has no real good solution because of easy botting.
It’s basically a public wiki of scripts, being editable by anyone is the entire point. If you don’t want to run random scripts from random people, don’t use AUR.
Oh, very rigorous software engineering standards.
That’s not what the AUR does. They simply provide a platform for users to share build scripts. There isn’t much they can do beyond trying to vet accounts based on flimsy metrics, or weeding things out every now and then.
The problem is that some people and even distros treat the AUR as a trusted source of software.
All user repositories (javascript, Python etc.) suffer from malware btw.; the AUR is different in that it explicitely puts the responsibility of building packages on the user.
…
I’m still missing some palpable information about these injections/malwares.https://bbs.archlinux.org/viewtopic.php?id=313892
Absolutely ludicrous. These are very very strong packages.
Is that not the case already? If not I’m sure it’ll be one of the fixes.
Well, there are regulations governing the code they can be made of.
Well, I was thinking more about the other ones.