• altphoto@lemmy.today
    link
    fedilink
    arrow-up
    0
    ·
    26 days ago

    With the old package managers safety was simple…trust the developers, user their packages. 10000 downloads? Easy! 1 download… 🤔 Maybe skip for now.

    Now with executables like mac and Windows it’s easier to sneak something in. You still rely on trust. But now you’ve got AI in the game mudding the waters.

  • Avid Amoeba@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    26 days ago

    The unsandboxed package model was only ever safe in its original conception - with organizationally trusted and cryptographically enforced maintainer model. Remove the maintainer/developer trust requirement and you need a sandbox in order to prevent malware having root access on your system. Tis why mobile apps were sandboxed on Android and iOS from the get go.

  • Speiser0@feddit.org
    link
    fedilink
    arrow-up
    0
    ·
    26 days ago

    My eyes, I look at AUR packages before building them, as any real arch user does. AFAIK, antivirus programs would do the same to compiled binaries, looking for suspicious things and blocking if it finds something.

    • Alaknár@sopuli.xyz
      link
      fedilink
      arrow-up
      0
      ·
      25 days ago

      Wasn’t that long ago when I was downvoted to oblivion for saying that. Glad to see the community is maturing.

    • placebo@lemmy.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      25 days ago

      Tbf most major attacks we saw recently are cross-platform thanks to npm. AUR has always been a security risk.

    • littleomid@feddit.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      26 days ago

      Waiting for updating doesn’t make any difference. The packages could be infected at any point.

      • CubitOom@infosec.pub
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        26 days ago

        The packages could be infected at any point.

        I guess the same could be said for literally any open source or freely distributed project.

        The difference is that this was a supply chain attack and, to my knowledge, required the package to be listed as orphaned unmaintained first so that the PKGBUILD could be modified to install malicious NPM packages.

        The community caught it quickly because it is possible to read both the PKGBUILD and the output of the update and, I think, it is fully resolved as of now.

        Basically, if one were to delete or replace orphaned packages then they wouldn’t have been infected.

        It is also possible to add a CVE scanner for AUR packages if reading the PKGBUILD is too much, I’m looking into how to do that now.

        All this is to say that you should check if you had an infected package but I personally don’t think using the aur is more risky than using a flatpak.

      • 87Six@lemmy.zip
        link
        fedilink
        arrow-up
        0
        ·
        26 days ago

        Waiting for updating doesn’t make any difference.

        Are linux users allowed to juat lie like that? I thought if you do that you need to use Windows.

      • CubitOom@infosec.pub
        link
        fedilink
        English
        arrow-up
        0
        ·
        26 days ago

        Good question, I guess I might be using the wrong word when i say “orphan” because I see the arch wiki uses that term differently

        Orphans are packages that were installed as a dependency and are no longer required by any package.

        https://wiki.archlinux.org/title/Pacman/Tips_and_tricks

        You can remove these manually or if using an aur helper like yay there are flags/settings you can use to delete them after the desired package was installed.

        However what I was talking about aur packages that are unmaintained or do not have a maintainer anymore.

        I’m researching more at the moment.

        • Eager Eagle@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          26 days ago

          shit, I had 150 orphaned packages

          pacman -Qdtq | pacman -Rns -

          I made an alias for this, but IMO this cleanup should be automatic. The user didn’t install it themselves after all.

          • CubitOom@infosec.pub
            link
            fedilink
            English
            arrow-up
            0
            ·
            26 days ago

            I don’t trust that everything that outputs from pacman -Qdtq should be deleted. Like I want to keep vlc.

            • Eager Eagle@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              26 days ago

              I think if you do pacman -S vlc it won’t be orphan anymore though. I removed everything, if I miss something I’ll install it again.

              • CubitOom@infosec.pub
                link
                fedilink
                English
                arrow-up
                0
                ·
                25 days ago

                A simple install kept it orphaned. Instead I needed to run sudo pacman -D --asexplicit vlc

          • arschflugkoerper@feddit.org
            link
            fedilink
            arrow-up
            0
            ·
            26 days ago

            This can be prevented by uninstalling with -Rs

            Just removing them without user intervention could cause unexpected behavior.

    • Albbi@piefed.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      26 days ago

      They also wait until they get off the rollercoaster and back on solid ground before yelling yay!

  • macniel@feddit.org
    link
    fedilink
    arrow-up
    0
    ·
    26 days ago

    Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
    Linux Users: oh no I got malware by searching the AUR!

    • Err(()).unwrap()@lemmy.worldM
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      26 days ago

      The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).

      But if it starts downloading anything from NPM… ^C and run.

      • Lucy :3@feddit.org
        link
        fedilink
        arrow-up
        0
        ·
        26 days ago

        The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo

        • CubitOom@infosec.pub
          link
          fedilink
          English
          arrow-up
          0
          ·
          26 days ago

          I’m not entirely sure I agree, I think the issue is with default settings.

          Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that’s pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.

          • bitfucker@programming.dev
            link
            fedilink
            arrow-up
            0
            ·
            25 days ago

            Yeah, use and promote aurto instead. They require you to trust the maintainer and would remove the package from the local repo if the maintainer is changed

            • CubitOom@infosec.pub
              link
              fedilink
              English
              arrow-up
              0
              ·
              25 days ago

              I’m not sure if loosing the maintainer is to only thing we should be going off of here, but I like the name.

              • bitfucker@programming.dev
                link
                fedilink
                arrow-up
                0
                ·
                25 days ago

                Well, it is just like a distro maintainer account anyway. If the maintainer account is compromised then gg for the whole distro. That’s what happens with other supply chain attacks as well and yes, I do think we need a way to fix that without compromising on ease of usability

                • CubitOom@infosec.pub
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  25 days ago

                  We arnt talking about a distro maintainer, but an aur package maintainer, which can be anyone.

    • Lucy :3@feddit.org
      link
      fedilink
      arrow-up
      0
      ·
      26 days ago

      By misusing the AUR and ignoring every warning telling you to read and understand the pkgbuild or don’t do it.