You are not logged in.

#1 2023-03-18 14:13:16

PlasticRainCoat
Member
Registered: 2023-03-18
Posts: 4

AUR safety and specific apps im not sure about

This is my first post so hello everyone.

I was referred here after visiting the article on the Arch User Repository - https://wiki.archlinux.org/title/Arch_User_Repository

Im new to Arch Linux and I think I will be reliant on the AUR for some software but i'm also uneasy being worried about Malware on my system as this would potentially be my daily driver.  I know nothing about coding and not really enough information to understand build files and so feel limited in identifying save vs malicious packages. 

The packages in particular i want to install and test

Envy Control -by bayasdev - https://github.com/bayasdev/envycontrol … tag/v3.2.0
Ice-Sealed Wyvern by BeardOverflow/msi-ec (https://github.com/BeardOverflow/msi-ec)
mcontrolcenter-bin by dmitry -  https://github.com/dmitry-s93/MControlCenter

With no technical knowledge, im relying on taking a look on at the number of contributors on a package, stars, along with Issues in GIT.  But is this really a good method? 

Does anyone have knowledge of the above software packages and advise if they are safe?

Thanks in advance
PRC

Last edited by PlasticRainCoat (2023-03-18 14:14:22)

Offline

#2 2023-03-18 14:30:40

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: AUR safety and specific apps im not sure about

PlasticRainCoat wrote:

With no technical knowledge, im relying on taking a look on at the number of contributors on a package, stars, along with Issues in GIT.  But is this really a good method?

More or less.  First realize that there are two distinct questions about the safety of an AUR package: 1) is the upstream source trustworthy, and 2) does the AUR package (i.e., PKGBUILD) draw from the proper upstream source.

You don't need to know anything about coding to glance at a PKGBUILD and see if the source URL looks like the legitimate upstream source and whether the rest of the PKGBUILD is fairly simple or resembles one of the PKGBUILD templates.  There are some very long and complicated PKGBUILDs in the AUR, and these certainly can be perfectly legitimate and safe, but I'm always a bit more cautious with them in assessing whether they are safe under my second definition above (a complex PKGBUILD could sneak something in and / or is simply by being more complex is more prone to bugs / breakage).  The packages you link to are all very simple boiler-plate PKGBUILDs that just pass along the upstream source.  So while there are no guarantees, all three pass my quick test for the second type of safety.

For the first type of safety, there is no great test - but this has nothing to do with the AUR.  You'd have this same question whether the software was in the AUR, main repos*, or manually installed.

My recommendation of what to look at - if you are not at all familiar with any coding - would be AUR "votes".  It's certainly possible that these could be artificially inflated (someone spamming their own package with votes) but in practice this just isn't very likely.  And just like the complexity / simplicity of the PKGBUILD, this is a one way test: a package with lots of votes has likely been looked at by lots of people - so it's much less likely that anything fishy would slip by.  But there are also plenty of great packages with no votes.

*note: technically, it should be less of a concern with repo packages, as we can have a fair degree of trust in devs/TUs to not package malicous or broken software.

EDIT: a different perspective could be on base rates:

I've been using arch for well over a decade, and I've been active on the forums for about as long.  In that time I cant recall even hearing of a single case of actually malicious code in the AUR**.  I have no doubt it's happened - and I wouldn't really even doubt that there could be some malicious code in the AUR right now; the AUR is huge.  But I've just not ever heard of someone being negatively impacted by malicious code in the AUR.

In contrast, poorly done packages in the AUR are a dime a dozen.  If you use many AUR packages you will find some of them fail to work properly because the packager didn't know what they were doing or did something foolish.  So foolish is common, but malicious is so rare that I've not even encountered it.  In contrast I am aware of several people being hit by lightening - yet I don't walk around with a lightening rod.  If I've heard of people being struck by lightening but don't worry about being struck myself, why would I worry about malicious code in the AUR when I cant even recall hearing of a single case impacting someone else?

** note: I have seen cases where PKGBUILDs and / or install files were so horrifically bad that I described them as bordering on malicious.  But even there they would, at worst, attempt to pollute a users $HOME directory with package-related materials out of ignorance not maliciousness - and they would not result in any "malware" or "spyware" or the like.

Last edited by Trilby (2023-03-18 14:40:51)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2023-03-18 21:44:04

PlasticRainCoat
Member
Registered: 2023-03-18
Posts: 4

Re: AUR safety and specific apps im not sure about

Thanks for your advice Trilby.  Given me confidence to go ahead and install EnvyControl which is what I really need

Out of interest with the actual applications themselves - should they be available on GitHub to download - is there any point running them through VirusTotal?

Thanks
PRC

Offline

#4 2023-03-18 21:55:05

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: AUR safety and specific apps im not sure about

PlasticRainCoat wrote:

Out of interest with the actual applications themselves - should they be available on GitHub to download - is there any point running them through VirusTotal?

envycontrol builds a python module from source.
msi-ec-git will try to build a kernel module from source for whatever the running kernel is.
mcontrolcenter-bin unpacks a prebuilt binary,  that is the only one you could scan.
Edit:
PKGBUILD for mcontrolcenter built from source

_pkgname=MControlCenter
pkgname=mcontrolcenter
pkgver=0.4.0
pkgrel=1
pkgdesc='An application that allows you to change the settings of MSI laptops'
arch=('x86_64')
url='https://github.com/dmitry-s93/MControlCenter'
license=('GPL3')
depends=('qt5-base' 'hicolor-icon-theme')
makedepends=('cmake' 'qt5-tools')
source=($pkgname-$pkgver.tar.gz::https://github.com/dmitry-s93/$_pkgname/archive/refs/tags/${pkgver}/$pkgver.tar.gz)
sha256sums=('0e94319bb03c809be79f75b8dc2343ca9dcfcc6deef001ad906e18a2750ded66')

prepare() {
    echo "ec_sys" > $pkgname-kmod.conf
    echo "options ec_sys write_support=1" > $pkgname-opts.conf
    sed -i 's/libexec/bin/' ./$_pkgname-$pkgver/src/helper/mcontrolcenter.helper.service
}

build() {
    cmake -B build -S "$_pkgname-$pkgver" \
        -DCMAKE_BUILD_TYPE='None' \
        -DCMAKE_INSTALL_PREFIX='/usr' \
        -Wno-dev
    cmake --build build
}

package() {
    DESTDIR="$pkgdir" cmake --install build

    # load ec_sys on boot
    install -Dm644 $pkgname-kmod.conf "$pkgdir"/usr/lib/modules-load.d/$_binname.conf

    # set ec_sys options
    install -Dm644 $pkgname-opts.conf "$pkgdir"/usr/lib/modprobe.d/$_binname.conf

    cd $_pkgname-$pkgver
    install -Dm644 ./resources/mcontrolcenter.desktop $pkgdir/usr/share/applications/mcontrolcenter.desktop
    install -Dm644 ./resources/mcontrolcenter.svg $pkgdir/usr/share/icons/hicolor/scalable/apps/mcontrolcenter.svg
    install -Dm644 ./src/helper/mcontrolcenter-helper.conf $pkgdir/usr/share/dbus-1/system.d/mcontrolcenter-helper.conf
    install -Dm644 ./src/helper/mcontrolcenter.helper.service $pkgdir/usr/share/dbus-1/system-services/mcontrolcenter.helper.service
}

Edit2:
Updated msc-ec-git PKGBUILD to build for the linux package,  added a pkgver function as it is a git package,  added a patch for linux 6.2 https://github.com/BeardOverflow/msi-ec/pull/29

# Maintainer: Catemiko
# Contributor: BeardOverflow

_gitname=msi-ec
pkgname=$_gitname-git
pkgver=r83.b476c18
pkgrel=1
pkgdesc="Driver for MSI laptop EC"
arch=('x86_64')
url="https://github.com/BeardOverflow/msi-ec"
license=('GPL2')
depends=('linux')
makedepends=('git' 'linux-headers')
provides=('msi-ec')

source=("git+https://github.com/BeardOverflow/msi-ec.git"
         msi-ec-linux-6.2.patch)
sha256sums=('SKIP'
            'b2c6b5cef7605c9dbc1b5eea59a17baae76457bfda93ec5e8737eb17f20120ba')

prepare() {
    cd "${_gitname}"
    patch -Np1 -i ../msi-ec-linux-6.2.patch
}

pkgver() {
    cd "${_gitname}"
    printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short=7 HEAD)"
}

build() {
    cd "${_gitname}"
    _kernver="$(</usr/src/linux/version)"
    make -C /usr/lib/modules/$_kernver/build M=$PWD
}

package() {
    cd "${_gitname}"
    echo msi-ec > msi-ec.conf

    install -Dm 644 msi-ec.conf "${pkgdir}/usr/lib/modules-load.d/msi-ec.conf"
    _kernver="$(</usr/src/linux/version)"
    install -Dm 644 msi-ec.ko "${pkgdir}/usr/lib/modules/${_kernver}/extramodules/msi-ec.ko"
}

msi-ec-linux-6.2.patch

diff --git a/msi-ec.c b/msi-ec.c
index abec434..1b075f9 100644
--- a/msi-ec.c
+++ b/msi-ec.c
@@ -45,6 +45,7 @@
 #include <linux/seq_file.h>
 #include <linux/string.h>
 #include <linux/slab.h>
+#include <linux/version.h>
 
 static const char *const SM_ECO_NAME       = "eco";
 static const char *const SM_COMFORT_NAME   = "comfort";
@@ -1001,12 +1002,22 @@ static struct attribute *msi_battery_attrs[] = {
 
 ATTRIBUTE_GROUPS(msi_battery);
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6,2,0)
 static int msi_battery_add(struct power_supply *battery)
+#else
+static int msi_battery_add(struct power_supply *battery,
+            struct acpi_battery_hook *hook)
+#endif
 {
     return device_add_groups(&battery->dev, msi_battery_groups);
 }
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6,2,0)
 static int msi_battery_remove(struct power_supply *battery)
+#else
+static int msi_battery_remove(struct power_supply *battery,
+            struct acpi_battery_hook *hook)
+#endif
 {
     device_remove_groups(&battery->dev, msi_battery_groups);
     return 0;

Last edited by loqs (2023-03-19 02:33:04)

Offline

#5 2023-03-21 16:43:53

PlasticRainCoat
Member
Registered: 2023-03-18
Posts: 4

Re: AUR safety and specific apps im not sure about

Thank you for your input too

Offline

#6 2023-03-21 16:44:59

PlasticRainCoat
Member
Registered: 2023-03-18
Posts: 4

Re: AUR safety and specific apps im not sure about

Thank you for your input too

Offline

#7 2023-03-25 15:05:12

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: AUR safety and specific apps im not sure about

Did you decide to use any of the AUR packages you were interested in?

Offline

Board footer

Powered by FluxBB