Russian Spam & Profanities Are Now Plaguing The Arch Linux AUR
2d 30m ago by europe.pub/u/cm0002 in linux@programming.dev from www.phoronix.com
One russian guy: adding package which you need to specifically install to get, and which adds three lines of text saying you should not install random shit fron the internet
Journalist: rUsSiAnS aRe AtTaCkInG AUR wItH sPaM aNd PrOfAnItIeS
Looking at how it's worded, it's just some high school kid who wanted to have some fun.
What the fuck is going on with all of this lately? I get the idea, but like is there any real reason to use AUR in this day and age? I'm not an Arch user so I don't really understand the significance for the community, but when it was explained to me it sounded psychotic.
It's an easy way to get packages distributed across Arch. It's especially useful for new software because getting approved for mainline Arch repos is a pain.
The issue is the fact that it was created before widespread adoption of Arch and thus security is a bit lackluster.
When you use it, the first thing you'll see is "read all the PKGBUILDs before installing!!!" written all over the place, PKGBUILD being the bash script that gets the package into your system. And when Arch was that scary and unapprochable distro used by the nerdiest of nerds, everybody did exactly that and it wasn't an issue.
Nowadays a lot of people who are a bit less than consious about their decisions hop on Arch and use stuff like AUR without thinking what exactly they are doing. The results are all over the news outlets.
Maybe it'll lead to AUR creating stricter policies for maintainers, sad, but I doubt it can exist in it's current state otherwise.
I would bet even careful Arch users don't sift through every repo they have installed during every system update to make sure nobody tinkered with an older one today. Some may have written elaborate scripts that warn them when for example the owner of a package changed but that's probably less than 1% of even just older Arch users. If it even exists at all.
I don't think this is just a growing skill issue. I suspect the main reason this seems to happen more frequently is mere popularity. More popular means there's more to gain for bad actors.
Not sure, I read all the diffs when I was using Arch. It's scary otherwise. I also put effort into minimizing the number of AUR packages I use, though.
But it getting more popular, of course, also plays a role, but I'd argue it's the same thing. There are only so many nerds out there, for it to get more popular it has to reach to a broader audience.
Arch attracted a lot of newbies to the distro thanks to SteamOS being Arch based and CachyOS being extremely easy to get into and maintain, unlike the heavily gatekeepy "fuck off if you can't solve literally everything yourself" base Arch. With that came a lot of demand for all sorts of packages that are not and will not be included in Arch/Cachy/whatever distro's repos, prompting heavy AUR usage. As well as some people promoting the AUR as one of the benefits of Arch - "everything is on Arch". And in my personal experience - Arch itself tends to drop a bunch of packages into AUR, and other 3rd party devs treat AUR as an easy distribution platform for Arch based distros, which gives AUR an undeserved amount of trust.
There are many popular programs that are only available on the AUR, sometimes even maintained by the same project's dev.
The wiki also often links to AUR packages.
Both put together means it's really easy to forget that there are no guardrails at all there.
For example if a device manufacturer provides drivers for linux, or a software developer has a version for Arch, but it's missing a pkg build or config file, most users simply won't be ably to figure out how to manually install it and CORE or Flathub probably don't have any official packages for it.
There are millions of such niche cases like this every day.
For me, some of the software I use isn't available on the official Arch repos, but they are on the AUR. I prefer the AUR over solutions like Flatpak or AppImages, but I use a mix of them all depending on what I need to install.
Interesting, I prefer Flatpak over the AUR when available, because the AUR seems more susceptible to attacks like this. I don't know the security model of a Flatpak repository, so it's just a feeling so far.
To the person(s) down voting this, please speak up about why. Let's have a discussion, or maybe teach me something! 😃👍
The nice thing about Linux is that it gives you options, so you can decide which you prefer!
True. I just hope I'm right in my way of thinking there, is all. 😅 Maybe someone more knowledgeable than I am could fill me in on wether or not Flatpak is actually a safer option than the AUR (given blindly installing stuff without inspection).
I believe Flatpak is safer than the AUR, as there is comparatively more vetting by third parties (e.g. Flathub). Also, the apps you install are sandboxd, which has upsides in terms of security but may have downsides for certain kinds of app, since permissions for full file access, communication with other apps, etc. are restricted by default.
I like the AUR since it's more "native" than the one-size-fits-all Flatpak, but I use both depending on the use case for that app. Sometimes, one version is out of date, in which case I would prefer Tue other.
This is what I had assumed as well, so thanks for confirming!
Not sure how what you mean by "native" though. Flatpak apps don't run in some kind of virtualization, do they? Or you mean native to the package system?
Native as in how Flatpaks are a universal package format while AUR is Arch-specific. There are some occasional quirks in some Flatpak apps. For instance, Flatpak Localsend does not detect the system accent colour, while the AUR version does. It's not a problem for most apps though.
Yeah Flatpak applications need access to some portal or something I guess in order to gain access to stuff.
Meh, I like it. I use it for stuff I don't necessarily trust, like Slack, Discord (which hasn't been launched for a while now...), Steam (higher trust in that than the others though), etc. Non-free stuff. 🙂