• Ŝan • 𐑖ƨɤ@piefed.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    23 days ago

    Ha! Infosec has been telling us to update out software frequently because it’s safer. My strategy of bone-idleness and updating only once a monþ or two is looking pr-etty smart.

    • flying_sheep@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      23 days ago

      That’s not how that works.

      • when you use distribution-provided packages, you trust the distribution maintainers
      • when you use the AUR you trust the upstream project and check the PKGBUILD because the maintainer can change

      In some cases, upstream also maintains the AUR package, in which case you can probably trust that it’ll not be abandoned

    • KassioAug@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      0
      ·
      23 days ago

      Nope. Distrobox does not offer any meaningful protection, since its purpose is to integrate with the system. It’s basically meant to make downloading and managing packages from different distros, on the same system, much easier… but it’s not meant to protect and isolate your device the same way that Flatpak or other type of containers do. That baing said, stop relying on Distrobox as a safety measure, and check your recently installed and updated packages since 9th June, to make sure you were not infected.

  • niva@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    23 days ago

    Wow, I have 229 AUR packages installed but none of them is on the infected list!

    Am I just lucky?

      • onnekas@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        0
        ·
        23 days ago

        How do you guys check against that list? Especially when people have so many aur packages. I simply searched the list for each package manually but I only have 5. Do you write scripts?

        • flying_sheep@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          23 days ago

          So far I’ve just checked the diff of every package update. But with that many, I think we should maybe start using using the script provided in the article that you evidently didn’t read.

    • texture@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      23 days ago

      i have a few machines and lots of aur packages and none of mine have a single hit either

      • niva@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        21 days ago

        Same here. Just checked against the new list with 1937 packages and still don’t have a match.

  • gnufuu@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    24 days ago

    Can’t load the article but I assume Arch’s rolling release way of doing updates makes this quite the disaster.

    • esc@piefed.social
      link
      fedilink
      English
      arrow-up
      0
      ·
      24 days ago

      It makes a big headline and a small impact. It’s not official arch packages that were compromised.

    • insomniac_lemon@lemmy.cafe
      link
      fedilink
      English
      arrow-up
      0
      ·
      23 days ago

      Forenote: image text unrelated, but somewhat relevant.

      Me, not updating my system in many months due to a box of various issues: Michael Scott Handshake meme

      ~7Mbps shared internet, Arch expecting regular updates (and me not setting up the timer stuff to prevent those issues), and most recently before this my 1050Ti becoming legacy and Arch moving the legacy driver onto the AUR (I updated stuff from the AUR even less, so this is a blocker for me).

      I probably need a new distro at this point, but not convinced by any. In any case an AMD GPU would also help, but also probably not happening on my terms either.

    • Crozekiel@piefed.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      24 days ago

      Eh, depends really. The AUR is not the default place to install software from, it’s all user created and comes with warnings almost anywhere you have access to it. I’ve generally used Octopi to install packages and you have to jump through some hoops to even have it show you packages from the AUR. Generally, running updates for the system, from the Arch flavors I’ve used anyway, by default doesn’t update packages installed from the AUR and you generally update them deliberately and separately. As an example, on my Garuda systems I only have 3 packages installed from AUR and they are so rarely used I forget about them a lot… I’m a bad sysadmin for myself and they don’t get updated nearly as often as the main system packages.

      But, do other people use their system differently? Absolutely. They have likely ignored several warnings (or read them and accepted the risks) to get there though.

  • jason@discuss.online
    link
    fedilink
    English
    arrow-up
    0
    ·
    23 days ago

    So, I’m totally fine because I always manually install from the AUR? This is more of a problem for people using those AUR helpers that make a package manager out of it, right?

    • caseyweederman@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      24 days ago

      I think there was a word missing.
      To respond to what I think you were saying, this event happened in the Arch User Repository, and not the official repositories.
      Arch is very clear that they are not responsible for what goes on in the AUR. For example on https://aur.archlinux.org/ :

      DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.

      The Debian equivalent would be somewhere between extrepo and PPAs.

      • stealth_cookies@lemmy.ca
        link
        fedilink
        English
        arrow-up
        0
        ·
        24 days ago

        I think the comment makes sense, if more packages were supported on the main Arch repos there would be less of a need to use the AUR or Flatpaks.

        There are definitely some big gaps on the Arch repos (web browsers in particular) that I would like to see improved.

        • caseyweederman@lemmy.ca
          link
          fedilink
          English
          arrow-up
          0
          ·
          24 days ago

          You’re right, but web browsers can be pretty brutal to build and they are for sure never going to add -bin versions.

          • stealth_cookies@lemmy.ca
            link
            fedilink
            English
            arrow-up
            0
            ·
            23 days ago

            I don’t understand this argument. Isn’t it better to build once and distribute binaries than to make everyone compile it themselves? The vast majority of AUR packages I use are -bin versions.

            • caseyweederman@lemmy.ca
              link
              fedilink
              English
              arrow-up
              0
              ·
              23 days ago

              You don’t get to see the code that way, which is where bad actors thrive. Also it wasn’t compiled for exactly your system.

        • sonofearth@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          23 days ago

          Yep an easy agree. Popular browsers like Zen, Helium and (god forbid) Brave should be directly in the official repos. So should be Jellyfin. It just makes sense given that debian repos have far more packages.

      • Mwa@thelemmy.club
        link
        fedilink
        English
        arrow-up
        0
        ·
        24 days ago

        maybe i went offtopic but i was comparing the AUR To Debian’s repos, i see that Debian has more packages in its repos(things like Llama-CPP and Open arena is in debian but arch needs the AUR)
        thats what i meant

  • RedditRefugee69420@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    22 days ago

    Tons of clawing at each other’s throats in the comments here, largely declaring one another retarded for their use or misuse of AUR or thanking their lucky stars that none of their packages are on the list (so far), but not much that’s helpful for those less fortunate. Maybe nobody’s saying anything to that end because the article already covered it, but this is the second out of two times I’ve visited cybersecuritynews.com and been stuck in an “Are you a bot?” loop that never ends no matter how much of my browser’s safeguards I peel off.

    Here’s what steps I did so far, based on following the links I found in this thread (especially the GitHub comments under one of the links):

    1. pacman -Qm in console yielded a list of all the AUR packages that are installed on the system

    2. CTRL+F the results one-by-one in the apparent most up-to-date list: https://md.archlinux.org/s/SxbqukK6IA

    3. I have one on that list, specifically wine-nine, so I ran bat --style header,snip,changes /var/log/pacman.log | grep wine-nine which yielded the following (at the bottom of a very long list of apparent updates I’ve run since installing the OS):

    [2026-06-05T20:37:06-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

    [2026-06-07T21:50:58-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

    [2026-06-08T20:56:54-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

    [2026-06-09T21:38:44-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

    [2026-06-10T21:58:52-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

    [2026-06-12T20:18:37-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

    [2026-06-12T20:18:37-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

    (Like a good little Arch user I’ve been updating pretty frequently)

    1. Now what?

    I saw something that said “check for suspicious processes running as root” but I have no idea what that would look like.

    I saw something that said I need to redo all of my passwords and tokens. Any way to check if that’s necessary or should I just assume I’ve been pwn3d?


    In using pacseek I think I’ve discovered wine-nine hasn’t been modified in the AUR since “2024-12-07 - 15:18:31 (UTC)” so can I relax a bit? I’m currently going through my list of AUR packages and deciding whether or not I need them as badly as I originally thought. Sadly my distro is one of those that decided to lean on AUR, because most of my list (apart from two) I don’t recognize as something I’ve installed myself.


    pacseek would not let me remove the following AUR packages (which thankfully are not in the list (yet)):

    :: removing electron41-bin breaks dependency 'electron41' required by deltachat-desktop - an encrypted chat application I installed (not via AUR) I suppose I could find an alternative for

    :: removing electron41-bin breaks dependency 'electron41' required by freetube - a YouTube frontend I installed (not via AUR) I suppose I could find an alternative for

    :: removing libsoup breaks dependency 'libsoup' required by webkit2gtk - no idea what webkit2gtk is


    I only just now realized that chaotic-aur is probably just as problematic as AUR, both in my decision to use packages at all as well as my searching the list of compromise packages, yes? I have tons more packages under that, most of which I think came with the OS.

    • Crozekiel@piefed.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      21 days ago

      Chaotic is not just as problematic, thankfully. They have systems in place to flag suspicious changes for human review before letting them out and it has, so far, prevented them from shipping any compromised updates.

      I thankfully hadn’t updated anything from the AUR for a couple of months (it doesn’t happen by default when I update the rest of my system) and was unaffected, and after looking at the list of things I had from the AUR, I didn’t need any of them… So I now have zero AUR packages on either of my systems.

      • RedditRefugee69420@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        11 days ago

        Ironic, given the name.

        I’m very new to Arch so I’m still confused as to where I stand. Hopefully I haven’t been pwned. Sadly, my distro includes AUR packages by default.

        • Crozekiel@piefed.zip
          link
          fedilink
          English
          arrow-up
          0
          ·
          10 days ago

          My distro (Garuda) included a couple back when I originally installed it, but doesn’t use them currently (namely wine-nine - which was affected) but the built-in system update didn’t touch AUR unless you explicitly tell it to, so that saved my bacon in this situation (my AUR packages hadn’t been updated in 2 months).

          • RedditRefugee69420@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            8 days ago

            How do I check to see if that’s the case for me too?

            As I showed above, I also had wine-nine, but I can’t tell if that log is listing all the times wine-nine was updated or all the times I updated with wine-nine installed.

            I’m leaning toward the latter given it was just listing wine-nine 0.10-1 repeatedly, implying it never updated past that in the dangerous period, right?

  • xthexder@l.sw0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    23 days ago

    Not even having npm installed as a system package feels like a personal win right now. I’d like to think I would have caught this due to the number of dependencies it would introduce to my system. node_modules seems like it’s been the source of most of the recent CVEs I’m hearing about.

    • HaraldvonBlauzahn@feddit.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      23 days ago

      Are you aware how github works, or open source development in general ?

      Some users ate developers, too.

      Some people write code, others may try it out, and a few of the latter might help with developing it. And some of these efforts become popular.

      That’s how we have Linux or KDE.

      It is all based on open sharing.

      And of course you can opt to not run code that you don’t know, or don’t understand , or don’t trust.

    • GameEngineer@infosec.pub
      link
      fedilink
      English
      arrow-up
      0
      ·
      23 days ago

      So what would the alternative be? If the resources or desire don’t exist to make a package official, how else would you install it?

      • BlackLaZoR@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        23 days ago

        You’re missing the point entirely. I’m talking about inspecting the scripts not about making packages

        • GameEngineer@infosec.pub
          link
          fedilink
          English
          arrow-up
          0
          ·
          23 days ago

          Sorry if I was unclear. You usually don’t inspect the install scripts for official packages since you put the trust in the official team. You don’t trust(or at least shouldn’t) AUR packages, hence you should inspect the install script for those packages. I don’t really see what the alternative would be.

          • BlackLaZoR@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            23 days ago

            Well, the alternative would be for moderation team to inspect them, with clear signaling of which scripts are trusted and which aren’t.

            • HaraldvonBlauzahn@feddit.org
              link
              fedilink
              English
              arrow-up
              0
              ·
              23 days ago

              But this is exactly what the top comment of Cease talks about: There is no moderation team. You seem to think that it is the job of the maintainers of the Arch Linux distribution is to vet and review the AUR packages. But they take care for the - much more widely used - Arch distro packages and are busy with this. They have enough to do. And the AUR packages are not part of the Arch distro.

              The AUR is basically a server where users can store their own packages so that othery can use it. As its name says: Arch User Repository.

              • BlackLaZoR@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                23 days ago

                There is no moderation team.

                And that’s why it’s fundamentally shit idea on so many levels. Instead of having one person to inspect let’s make every single user expert or not to inspect every package each individually. This is fucking retardation at its finest.

                • amda@feddit.nl
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  23 days ago

                  There IS one person that inspect the code for everyone, that’s the package maintainer. But it’s a random voluntary contribution from some random person who you should not blindly trust. That’s the point of the AUR, one person makes it significantly easier to install for everyone. The point is to be better than installing directly from somewhere like GitHub. For actual good moderation there are officials repos

  • malloc@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    24 days ago

    Is this the first time AUR has been compromised to this degree?

    Given how changes are often unvetted, I am surprised this hasn’t occurred before.

    • De Lancre@lemmy.worlddeleted by creator
      link
      fedilink
      English
      arrow-up
      0
      ·
      23 days ago

      Is this the first time AUR has been compromised to this degree?

      I do believe so, yes. There was couple of cases in last year, but never to this extend. If I understand correctly, reading arch thread, it something to do with the fact that anyone can “adopt” orphaned package on AUR. Which is kinda wild.

      • Ŝan • 𐑖ƨɤ@piefed.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        23 days ago

        anyone can “adopt” orphaned package on AU

        Þis is þe important point. I vet my AUR installs by checking upstream, but I don’t vet every package for every upgrade. Or, even, most. AUR could have a little more oversight wiþ relatevely little impact. E.g. a cursory initial check and þen an AUR rule preventing anyone from changing þe source repos on an existing package would make a huge difference. AUR is a centralized package list; a simple diff on source preventing inclusion in þe pkglist, and flagging þe package for review, say. Not foolproof, but it’d prevent þe most trivial exploits.

        Frankly, whatever problems GPG may have, AUR is a perfect use case for þe web of trust. Having maintainers have to sign packages would make exploits even harder. Not fookproof, but harder þan “effortless.”

        • northernlights@fedia.io
          link
          fedilink
          arrow-up
          0
          ·
          23 days ago

          You may or may not have commented something useful. I don’t know. Your retarded spelling right off the bat makes the whole thing moot.

  • lazylemons@lemmy.today
    link
    fedilink
    English
    arrow-up
    0
    ·
    24 days ago

    I have always been nervous about this type of thing happening with the AUR. Thankfully many packages I used to need the AUR for have since added native versions or made flatpaks. I hope AUR users don’t have too many issues from this!

    • Holytimes@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      24 days ago

      flatpaks arn’t any safer and with how poor the sandbox is handled by 99% of devs. Hell flatpaks have a new issue every other month. Its almost more often to see a new flatpak problem then aur problem.

      Its literally no safer in reality sure on paper its safer but reality has proven that flatpaks just are not some magical fix to this problem.

      Hell half the time when flatpaks do have issues they go unaddressed or fixed for months after they are found. While AUR problems get smacked real fucking fast after they are found.

      • coolguy98@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        22 days ago

        I agree that Flatpak’s utilization of sandboxing is weaker in practice than is marketed. I get that many apps ship with home/host filesystem access instead of granular permissions, but it does provide meaningful isolation when used correctly.

      • Eldritch@piefed.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        24 days ago

        The one positive with flatpak is that it allows for universal deployment. A lot of projects are providing official builds. But you are still relying on them to vet what they put in.

  • KassioAug@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    23 days ago

    I was starting to get too confident in AUR. Thankfully I wasn’t affected. Just replaced all possible AUR packages to their respective Arch and Flatpak alternatives, with exception of very few or from the ones I had no option. But will definitely check before updating them, and will only install AUR packages as a last resort.

    • HaraldvonBlauzahn@feddit.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      22 days ago

      Have a look into the Guix package manager. It works fine on top of Arch, and Guix has 31,000 packages now. Great for cross-language development and also suitable for early sharing of projects. npm support is a bit weak though, but packages written in Python, Rust, or functional languages are well represented.

      • Jason2357@lemmy.ca
        link
        fedilink
        English
        arrow-up
        0
        ·
        22 days ago

        Thats like nix packager, right? Looks interesting to layer on top. Says they are all reproducible builds which is nice.

        • HaraldvonBlauzahn@feddit.org
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          22 days ago

          Yes, Guix is initially a clone of Nix and has still remains of shared code (the build daemon).

          Differences:

          • Guix packages are defined in a Scheme dialect called Guile, a nice minimal functional language
          • Guix was created as a GNU project and stresses the importance of free software with strong copyleft
          • everything is built from source
          • very good and well organized documentation