VCS AUR packages and attack surface

wcerfgba · 2016-01-30 21:00:52

Hey all,

So I wrote a couple of wrapper scripts for personal use, and thought I'd Git them and make an AUR package in case they were useful to anyone else (source: https://github.com/wcerfgba/udevil-bindfs). I decided to make the package follows the repo, and as such there are no sums in the PKGBUILD, and I have not provided any signatures.

If I were to roll this out as it stands, the only thing standing between the original code and a hacked release is my GitHub login, and there is no way to detect such interference through the AUR (e.g. by inspection of the PKGBUILD). As such I feel that VCS AUR packages potentially widen the attack surface of a system in a rather insidious way.

This could be mitigated by signing the sources before making a commit and including said signatures in the commit, and I would be interested to hear if any packages do this or implement any additional layers of integrity over just VCS write access.

dolik.rce · 2016-01-30 22:07:04

All PKGBUILDs from AUR come with a big red warning about being unsupported and potentially dangerous. So anyone who wants to install anything from AUR on system that is supposed to be secure should really think it through before doing so.

Also, when your github login is compromised, there is a big chance it was compromised with your entire computer or network. So the attacker might as well already have access to your AUR account and repo and also to the keys you use to sign the commits. In that case, nothing will help you.

That said, you could put such a check in the check() function in PKGBUILD. But it would probably be better (and more standard way) to create non-VCS package with source archives (which can be downloaded from github as well) with proper checksums.

Arch Linux

#1 2016-01-30 21:00:52

VCS AUR packages and attack surface

#2 2016-01-30 22:07:04

Re: VCS AUR packages and attack surface

Board footer