You must log in or # to comment.
To be fair aur should be merged with nix or something to share efforts and be cross platform.
There is also appimages, if used as flatimage which uses bubblewrap as sandbox even if there is malware its impact would be minimalized
Is this referring to some specific event or is it just a general warning about AUR?
I use AUR for “legacy” NVidia drivers btw
It’s referring to those unfortunate findings
I’d just like to interject for a moment. What you’re refering to as Berkeley Software Distribution, is in fact, Unix or as I’ve recently taken to calling it, Ma Bell Berkeley Unix
Back when I was learning arch they made sure you understood AUR is an option, it was never a good option. Even then the risks were just not worth it.
My understanding the AUR was it was supposed to be a “here’s how I made this work.” But it gets treated as a generic repo all the time so…this.
Real talk for a moment, there isn’t a system alive that currently solves the supply chain attack issue. there’s a trade-off between usability, and security. You can be a secure as you want to be, all it takes is a small accident by one developer in a package that you’re using, even if they’re using gpg signing to accidentally upload A package that’s been tampered. It stinks, but that’s the reality. What I think should be applauded is the thoroughness that the arch developers are going through the repo right now trying to find these packages. I don’t know the specifics, but if they’re like other open source developers, they’re unpaid people doing this out of their love for the software and community. and more than likely, this is a headache on top of headaches that they already have that they’re doing for the love of the community.
Idk how the AUR works but I like that nix fetch the source from the repo and also check its hash from a maintainer provided one. Prevents repo hijacking.
Although it’s still pretty much vulnerable if the attacker controls both the nix file and the repo
I use aur, extensively, wasn’t impacted by the supply chain attack cause I read the diffs.
Be real for a second,
Did you, or did you not, manage to review a diff, and say “no, that looks fishy”.Do you really think you are immune from compromised binary AUR packages thats being downloaded straight from GitHub? Sure, now it’s not only the AUR that’s bad, but in the end of the day, a malicious binary did arrive at your computer.
Let’s say that you don’t use *-bin packages, and only download from compilable source, are you immune from the strategy that the state actor who caused CVE-2024-3094 used to compromise packages?
in the end of the day, a malicious binary did arrive at your computer.
No, it didn’t.
Meanwhile, Windows users: btw, first time? 💀🪢
Wait AUR works in windows?
lol no, but malware does
Extensively.
It is ok, Micro$oft is asking me to call so they can fix it for me.
I legitimately have not had virus issues with Windows in over a decade. Using uBlock Origin for ad blocking and the built in Microsoft antivirus. Every few months for the first few years I’d put it through the wringer of a bunch of USB-bootable antivirus scanners. They kept finding nothing, so I slowed and eventually stopped bothering.
Common sense and an ad blocker do wonders.
To be fair, me neither, but every time somebody has an infected machine, it is windows
Trying to run pirated games will burn you occasionally, though.
But that’s okay. My gaming PC is only for gaming. If it manages to get a virus that I can’t quickly resolve, I’ll just wipe it and restore from backup. And the biggest tragedy there will be that I won’t be able to play games for a few hours. Meanwhile, my Linux PC that does everything important is completely safe.
I’m not going to lie the aur never made sense to me. If you are going to go to all that trouble why not just package it. Source packages are a thing.
it makes sense to me. remove as much friction from the publishing process as possible, so you get a huge amount of packages. this incident just shows they removed a little too much.
there are so many niche packages on the aur useful to so few people that nobody would go through the official process to properly package, test, and maintain them.
for example: vscodium is a fork of vscode, but microsoft disables the marketplace for it. the
vscodium-marketplacepackage from the aur adds it anyway. i don’t think any regular repos have these kind of hacks and patches available.It just seems odd to me if there is no maintenance why not just build a package yourself from the devs provided source code? Maybe I’m just an old man but it seems without the on going maintenance it would be about the same as for example using buildpackage and apt-build on Debian but that is a local repo for just me. So if something goes wrong it only affects me not the whole internet.
Not to discredit your point about the AUR as I use it plenty myself but for this specific case is there a reason to use vscodium on arch since they ship code as an official package which has a marketplace?
Iirc, isnt that just a build right out of the ms repo? So all the telemetry would still be there by default, which vscodium removes. If I am remembering right, that would be the best reason IMO.
The developers themselves are often not the package maintainers. Before a package is published or updated in one of the official Arch repos, it has to be built, tested, and sometimes patched (which is why you see a
-1,-2, etc. appended to the package version), in order to work correctly not just on its own but in an Arch system with Arch packages that it is likely to encounter. The process is not as thorough as Debian for example, but it’s still the responsibility of the package maintainer. If the package is still in early development, deprecated (e.g.wine32), an out-of-tree kernel module (e.g.xpadneo-dkms), or is meant to be built from the latest available commit (any number of*-gitpackages), the AUR is a convenient way to share PKGBUILD files rather than have the user build the software manually based on a readme, if it even includes build instructions. The PKGBUILD is then ingested bymakepkg, which both configures the environment and builds the software, and outputs a package that can then be installed and managed by Pacman.The caveat is that packages built from the AUR are not vetted by any package maintainers. They can have bugs, they might depend on outdated or no-longer-existent packages, or might contain malware.
Source packages are a thing.
AUR is a repository for user-hosted source packages (in Arch it’s called PKGBUILD). You can write PKGBUILD yourself or just download it from AUR if someone already made it.
It bothers me that the movie this meme is based on removed the head rests. Smh my head.
It’s a metaphor for how AUR removes security guardrails.
shake my head rest
Every movie does that. Just how they remove helmets from bikers and armor. Gotta see the actors beautiful face after all.
What’s even worse is the helmets with lights on the inside so bright all the character would see is their own reflection
And loose their darkness vision and looking at some of those SciFi space helmets, basically completely blinded.
Star trek would not make it through first season if they wore ev suit every time they beam down…
I use malware btw
Like saying as a widows user. "I got called by Microsoft "
