With the old package managers safety was simple…trust the developers, user their packages. 10000 downloads? Easy! 1 download… 🤔 Maybe skip for now.
Now with executables like mac and Windows it’s easier to sneak something in. You still rely on trust. But now you’ve got AI in the game mudding the waters.
The unsandboxed package model was only ever safe in its original conception - with organizationally trusted and cryptographically enforced maintainer model. Remove the maintainer/developer trust requirement and you need a sandbox in order to prevent malware having root access on your system. Tis why mobile apps were sandboxed on Android and iOS from the get go.
Inverted security by obscurity
Obscurity by security?
Sescurity by Obcurity
Obituary by Sorcery
Also, an ad blocker.
My eyes, I look at AUR packages before building them, as any real arch user does. AFAIK, antivirus programs would do the same to compiled binaries, looking for suspicious things and blocking if it finds something.
And you believe that makes you safe?
Shit like this is a blemish on the Linux community.
Thatsthejoke.jpg
Never trust an NPM library
Fuck node
… technical name for glory hole
OR
Your mom’s a fuck node
bu-but so many libraries need funding!
Security through insecurity
Though, Linux being open source helps a lot
Hi there 👋
Don’t have installed much from the AUR though.
So… rkhunter?
The more popular Linux becomes, the less true this will be.
Wasn’t that long ago when I was downvoted to oblivion for saying that. Glad to see the community is maturing.
Tbf most major attacks we saw recently are cross-platform thanks to npm. AUR has always been a security risk.
Avoid success at all costs - Simon Peyton Jones
I avoid orphaned packages and I wait a few days before I type
yayWaiting for updating doesn’t make any difference. The packages could be infected at any point.
The packages could be infected at any point.
I guess the same could be said for literally any open source or freely distributed project.
The difference is that this was a supply chain attack and, to my knowledge, required the package to be listed as
orphanedunmaintained first so that the PKGBUILD could be modified to install malicious NPM packages.The community caught it quickly because it is possible to read both the PKGBUILD and the output of the update and, I think, it is fully resolved as of now.
Basically, if one were to delete or replace orphaned packages then they wouldn’t have been infected.
It is also possible to add a CVE scanner for AUR packages if reading the PKGBUILD is too much, I’m looking into how to do that now.
All this is to say that you should check if you had an infected package but I personally don’t think using the aur is more risky than using a flatpak.
Waiting for updating doesn’t make any difference.
Are linux users allowed to juat lie like that? I thought if you do that you need to use Windows.
C’mon, man, at least pour one out for the homies who waited to update and landed in the period where it was live and undisclosed.
What?
Is there a flag to prevent orphaned packages from installing?
Good question, I guess I might be using the wrong word when i say “orphan” because I see the arch wiki uses that term differently
Orphans are packages that were installed as a dependency and are no longer required by any package.
You can remove these manually or if using an aur helper like yay there are flags/settings you can use to delete them after the desired package was installed.
However what I was talking about aur packages that are unmaintained or do not have a maintainer anymore.
I’m researching more at the moment.
shit, I had 150 orphaned packages
pacman -Qdtq | pacman -Rns -I made an alias for this, but IMO this cleanup should be automatic. The user didn’t install it themselves after all.
I don’t trust that everything that outputs from
pacman -Qdtqshould be deleted. Like I want to keepvlc.I think if you do pacman -S vlc it won’t be orphan anymore though. I removed everything, if I miss something I’ll install it again.
A simple install kept it orphaned. Instead I needed to run
sudo pacman -D --asexplicit vlc
This can be prevented by uninstalling with -Rs
Just removing them without user intervention could cause unexpected behavior.
They also wait until they get off the rollercoaster and back on solid ground before yelling
yay!You’re no fun
Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
Linux Users: oh no I got malware by searching the AUR!The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).
But if it starts downloading anything from NPM… ^C and run.
But Windows has a flourishing antimalware ecosystem. That’s missing in Linux imo
The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo
Ye my reaction to this was basically uninstalling yay to force me to do it manually
I’m not entirely sure I agree, I think the issue is with default settings.
Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that’s pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.
Yeah, use and promote
aurtoinstead. They require you to trust the maintainer and would remove the package from the local repo if the maintainer is changedI’m not sure if loosing the maintainer is to only thing we should be going off of here, but I like the name.

Well, it is just like a distro maintainer account anyway. If the maintainer account is compromised then gg for the whole distro. That’s what happens with other supply chain attacks as well and yes, I do think we need a way to fix that without compromising on ease of usability
We arnt talking about a distro maintainer, but an aur package maintainer, which can be anyone.
By misusing the AUR and ignoring every warning telling you to read and understand the pkgbuild or don’t do it.
AUR naur! for all my Australians out there.
Don’t worry, I found a package on npm to help!
Doesn’t work like this.
I never had any issues on TempleOS.
My OS is a temple. 🧘
Same on Secureblue.
Zero remote exploits since it was released. That’s what divinely-inspired coding looks like, everyone.
Better than OpenBSD
Out of curiosity, is that actually true? Surely our lord and saviour must have made a tiny slip-up
Edit: Apparently TempleOS doesn’t have networking
It is networked >!to God!<





















