I wonder percentage of Arch users are actually capable of verifying that an AUR package is safe to install.
I doubt that the number is very high, especially with the growing popularity of the distro
The entire philosophy of Arch is to put user in control. The PKGBUILD format is plain-text and reviewable. The documented best practice has always been to read the PKGBUILD and the .install files before building.
I’m not saying they shouldn’t look into measures to make it less prone to such attacks, but “take it down” is a very stupid take. If people can’t deal with the existence of AUR, there’s plenty of different distros to choose already.
I get what you mean, but people are stupid. There needs to be guardrails to prevent these things from happening. That’s why the AUR is a bad idea and it should be shut down.
You want your software to be available for a distro? Go through the proper channels. Submit it for review and get it approved. If you stop maintaining it, they remove it. Plain and simple.
That’s why you don’t have this problem with other distros. Arch made it too easy to download and install unverified, untested, potentially malicious software through the AUR and now every idiot that thinks they know what they’re doing are infecting their systems.
There are some software that I only have because of AUR. For example, Brother printer drivers.
AUR is a great option to have. It doesn’t mean people should use it for everything, when there’s a perfectly capable version of the same software downloadable from Arch, Flathub or even through Distrobox.
Having options is a good thing, people just need to take care.
In fact, downloading something from AUR without checking it is hardly more dangerous than adding PPAs in Ubuntu.
I respect your opinion here, but they will absolutely not shut down the AUR since its the reason anyone uses Arch. Just like how piefed.ca doesn’t shut down just because a few users upload illegal things.
Its a hypothetical assumption created by me. I should have said lemmy.world since im 100% sure there have been users that have uploaded illegal content.
As a side note, for some reason, I can’t see any comments inside any post on this community. That’s why I have to reply though my lemmy.ca alternate account.
Anyone infected is at their own fault. Literally every single ressource and official statement is “read the diff of what you execute”, which would prevent 100% of the attacks.
I’d rather not get cut off from my regular updates for some idiots who can’t read or think rules don’t apply to them. And yes, people who don’t understand the PKGBUILD format shouldn’t use the AUR on their own.
But this is the problem. It’s like if Microsoft provided Windows with Limewire as a solution to download software. There’s bound to be people who are going to exploit it for malicious reasons, and there’s bound to be idiots who are going to fall for it. Heck, there’s the possibility that even someone who knows what they’re doing might also get caught at some point.
No, it’s actual reality. There are more than a hundred thousand packages in the AUR. There are explicit warnings that these are user content and should be used with care.
And now a miniscule percentage (~1%) of orphaned packages, so those with very little interest in, are taken over by some malicious actors to spread malware.
And people suddenly pretend like this is a catastrophe for Linux (no one cares) and for Arch and it’s derivates (who don’t operate the AUR be definition and explicitly warn against using it without caution). If I told you that not 1, but 10% of the most obscure software packages you can download and install on Windows are pure malware, you wouldn’t even blink an eye. And yet all the morons now come crawling from their caves flooding everything with memes and bullshit of “haha, now we know you lied to us and Linux isn’t secure at all!”.
I think we should be proud. Linux is finally large enough to at least sort of get “hit” by a malware campaign, and it demonstrates the ease with which thousands of infected packages can be cleaned, because they are centralized to a few repositories. M$‘s only bet would be to update Defenders’ index and cross fingers that the signature doesn’t change.
Windows malware is always way out of control of M$, while that’s also the norm of uninfected programs.
Almost all Linux programs are by design installed from a central repo.
That’s like saying “i just want to bungee jump off this bridge” when the bridge is 10m above active traffic.
This piece of infrastructure is not designed to work this way. It’s made for linux nerds. Not unknowing users. And I don’t see why the AUR should punish the former because the latter are ignorant. So either be able to understand and actively read the things you’re running or just don’t.
There are plenty of other distros users can choose from, if they don’t want to deal with that. But picking one that is designed for advanced “nerdy” users and then ignoring those explicit warnings is just pure negligence.
They should straight up take it down. This is affecting their distro’s, and Linux’s reputation.
It’s a USER repository, where you literally download install files from unverified strangers.
There’s a reason all the AUR helpers prompt you to verify all the files before they will build or install anything.
I wonder percentage of Arch users are actually capable of verifying that an AUR package is safe to install. I doubt that the number is very high, especially with the growing popularity of the distro
Yeah. The ArchLinux corporation must be losing money left and right because of this.
Are they stupid?!
The entire philosophy of Arch is to put user in control. The PKGBUILD format is plain-text and reviewable. The documented best practice has always been to read the PKGBUILD and the .install files before building.
I’m not saying they shouldn’t look into measures to make it less prone to such attacks, but “take it down” is a very stupid take. If people can’t deal with the existence of AUR, there’s plenty of different distros to choose already.
In control of installing malware?
I get what you mean, but people are stupid. There needs to be guardrails to prevent these things from happening. That’s why the AUR is a bad idea and it should be shut down.
You want your software to be available for a distro? Go through the proper channels. Submit it for review and get it approved. If you stop maintaining it, they remove it. Plain and simple.
That’s why you don’t have this problem with other distros. Arch made it too easy to download and install unverified, untested, potentially malicious software through the AUR and now every idiot that thinks they know what they’re doing are infecting their systems.
There are some software that I only have because of AUR. For example, Brother printer drivers.
AUR is a great option to have. It doesn’t mean people should use it for everything, when there’s a perfectly capable version of the same software downloadable from Arch, Flathub or even through Distrobox.
Having options is a good thing, people just need to take care.
In fact, downloading something from AUR without checking it is hardly more dangerous than adding PPAs in Ubuntu.
Hahahahaha they also come in Debian .deb and Fedora .rpm packages. That’s why I never got this problem with my hardware on Ubuntu or Debian.
And no it’s not the same as PPAs.
https://archlinux.org/about/
Versatile, sure.
But Arch is anything but simple. The proof is the number of Arch spinoffs that were made to make it easier to install and use.
And any distro can be for competent Linux users. I mean, Linus Torvalds uses Fedora. I don’t think theres a more competent user than him.
There’s conceptual simplicity and there’s UX. Arch is mostly the former.
I respect your opinion here, but they will absolutely not shut down the AUR since its the reason anyone uses Arch. Just like how piefed.ca doesn’t shut down just because a few users upload illegal things.
Is there more context on the piefed.ca thing?
Its a hypothetical assumption created by me. I should have said lemmy.world since im 100% sure there have been users that have uploaded illegal content.
No, it just happened to be my instance.
As a side note, for some reason, I can’t see any comments inside any post on this community. That’s why I have to reply though my lemmy.ca alternate account.
Anyone infected is at their own fault. Literally every single ressource and official statement is “read the diff of what you execute”, which would prevent 100% of the attacks.
I’d rather not get cut off from my regular updates for some idiots who can’t read or think rules don’t apply to them. And yes, people who don’t understand the PKGBUILD format shouldn’t use the AUR on their own.
100%
But this is the problem. It’s like if Microsoft provided Windows with Limewire as a solution to download software. There’s bound to be people who are going to exploit it for malicious reasons, and there’s bound to be idiots who are going to fall for it. Heck, there’s the possibility that even someone who knows what they’re doing might also get caught at some point.
It’s dangerous and irresponsible.
Peak Linux nerd shit.
People just want their updates to work and you’re out here screeching that users are holding it wrong and to read a bunch of diffs 🤣
No, it’s actual reality. There are more than a hundred thousand packages in the AUR. There are explicit warnings that these are user content and should be used with care.
And now a miniscule percentage (~1%) of orphaned packages, so those with very little interest in, are taken over by some malicious actors to spread malware.
And people suddenly pretend like this is a catastrophe for Linux (no one cares) and for Arch and it’s derivates (who don’t operate the AUR be definition and explicitly warn against using it without caution). If I told you that not 1, but 10% of the most obscure software packages you can download and install on Windows are pure malware, you wouldn’t even blink an eye. And yet all the morons now come crawling from their caves flooding everything with memes and bullshit of “haha, now we know you lied to us and Linux isn’t secure at all!”.
I think we should be proud. Linux is finally large enough to at least sort of get “hit” by a malware campaign, and it demonstrates the ease with which thousands of infected packages can be cleaned, because they are centralized to a few repositories. M$‘s only bet would be to update Defenders’ index and cross fingers that the signature doesn’t change.
Windows malware is always way out of control of M$, while that’s also the norm of uninfected programs.
Almost all Linux programs are by design installed from a central repo.
No no, they’re right. This is arch linux, people demonstrably do not ‘just’ want their updates to work
That’s like saying “i just want to bungee jump off this bridge” when the bridge is 10m above active traffic.
This piece of infrastructure is not designed to work this way. It’s made for linux nerds. Not unknowing users. And I don’t see why the AUR should punish the former because the latter are ignorant. So either be able to understand and actively read the things you’re running or just don’t.
There are plenty of other distros users can choose from, if they don’t want to deal with that. But picking one that is designed for advanced “nerdy” users and then ignoring those explicit warnings is just pure negligence.
Next thing you’re gonna tell me you eat random shit found on the road and it’s nerd bullshit to check if it’s safe or not.