Arch Linux AUR Hit By Another Wave Of Now More Sophisticated Malware Attack

HaraldvonBlauzahn@feddit.org · 2 days ago

Arch Linux AUR Hit By Another Wave Of Now More Sophisticated Malware Attack

YiddishMcSquidish@lemmy.today · 1 day ago

I wonder if this is because of steamOS switching to Arch, and they have a wider target now.

deathmetal27@lemmy.world · 14 hours ago

Steam OS is immutable and does not enable AUR use by default.

Unless you’re a power user you probably won’t be using AUR on Steam OS.

HaraldvonBlauzahn@feddit.org · 1 day ago

Another thing is perhaps GenZ does not grok PC security. Security-wise, a Linux PC is very different from an iPhone, because everything shares the home folder.

Voytrekk@sopuli.xyz · 2 days ago

I think this shows that the process of changing ownership of an orphaned package needs to be a manual process.

Of course, AUR packages also need to be thoroughly vetted by the end users to avoid unexpected changes.

starshipwinepineapple@programming.dev · 2 days ago

So you remember how your helper asks you to see diffs … you take a look at those and understand them before approving, right?

Because I’m getting the sense that people are not doing that

KyuubiNoKitsune@lemmy.blahaj.zone · 2 days ago

And if you’re not a developer?

bitfucker@programming.dev · 1 day ago

Then don’t use an automatic AUR helper. Use chaotic aur if you must. Or use aurto

starshipwinepineapple@programming.dev · 2 days ago

Then learn to read the diffs. Most of the time they are changing the version number and package hash which is mundane and nothing to worry about. If more than that changed then that should make you curious why and dig deeper.

KyuubiNoKitsune@lemmy.blahaj.zone · 1 day ago

I know how, I’m just saying, not everyone has the technical acumen.

starshipwinepineapple@programming.dev · 1 day ago

Right, and I’m saying that a lot of updates are mundane and easy for anyone to read. And if they aren’t mundane then look into it. Try to learn. The alternative is to run code you don’t understand and hope for the best which didn’t work out for people here. So if you don’t want to try to learn, and you don’t want to blind trust, then the alternative is to not use the AUR.

Like one of the attack vectors was adding a “post install” step that was a bunch of obsfucated gibberish which should’ve been a red flag for anyone, technical acumen or not

Thorned_Rose@sh.itjust.works · 2 days ago

You don’t need to be a developer to read diffs and package builds. I have memory and cognitive impairment and manage fine. I’m also not remotely into software programming.

Attacker94@lemmy.world · 2 days ago

Even if you aren’t a dev, any user that chooses to use the aur should do their due diligence. There is a reason why I prefer flatpacks over aur, I don’t want to have to check diff’s every update.

dadarobot@lemmy.ml · 2 days ago

this is awful. the aur is my favorite feature of arch based distros.

mystic-macaroni@lemmy.ml · 22 hours ago

Really? Not pacman?

dadarobot@lemmy.ml · 16 hours ago

most distro package managers strike me as about the same. having a massive library of obscure stuff packed up to work on my system was a big plus. disnt have to compile hardly anything from source anymore