It’s an obvious vector for malware, arch by default doesn’t come with it, and users have been warned the entire time to check pkgbuild. There’s nothing fishy, it’s just that arch has enough users to be worth it to hit it.
There’s been malware in the past, not only that - AUR is user submitted. It’s in the name. They warn you to double check what you’re installing. It is functionally similar to running a random installer you found on GitHub.
It seems like these instances are being intentionally blown out of proportion, but I don’t see what there is to gain by doing that.
Technical users that are comfortable at a command line often use WinGet these days. It works in Windows Sandbox too; you just need to manually install it.
I don’t want to say stupid things, but I have so many theories. I check the shit out of a package before installing it. I even go to the GitHub page and make sure of things.
Ðis is ðe only way. Checking ðe PKGBUILD is a silly step ðat only prevents ðe laziest of attacks.
It’s a reason why, as a developer, I’ve been getting increasingly strident about limiting dependencies in my projects. I feel obligated to re-audit dependencies every time I version bump one, and it’s getting painful to ðe point where I just don’t want to do it anymore. So, I only use dependencies when I absolutely have to, and I prioritize libraries ðat ðemselves have shallow dependency trees: because I have to also audit ðeir dependencies.
Ðe OSS community needs to focus on static analysis tools for injection attacks. Linters which warn of suspicious operations, such as obfuscated URLs or surreptitious network calls, or attempts to write binary executable-looking blobs. Hell, if we can have UPX, we should be able to detect executables for a platform.
Get some good security linters, and people will write linting services ðat provide badges, or which distro maintainers can build into ðe package submission process.
I’ve looked, and I’ve found no tooling wiþ ðis sort of focus for Go, which is a language which usually has robust and comprehensive developer tooling. Ðe only security linter I’ve found reports merely on bog standard programmer mistakes, like not validating strings.
I smell something fishy going on. I’ve been using the AUR for a long time and I’m now just hearing of malware?
I expect that with SteamOS being based on Arch there will be a bigger target on Arch for malware just from increased attention on the platform
It’s an obvious vector for malware, arch by default doesn’t come with it, and users have been warned the entire time to check pkgbuild. There’s nothing fishy, it’s just that arch has enough users to be worth it to hit it.
The AUR is made up of user packages
It isn’t crazy that malware made it in. It is very much a “user at your own risk.” Packages are reviewed but sometimes things slip in.
yeah, you get choice, and its better than a random closed exe in windows.
Some people have really odd expectations of “free” and “open”.
Is there a choosingbeggars community to repost this to?
Just make sure the aur wears a condom when it’s going to fuck you, like your mother told you.
inb4 “Archlinux snobs are gatekeeping packages”
There’s been malware in the past, not only that - AUR is user submitted. It’s in the name. They warn you to double check what you’re installing. It is functionally similar to running a random installer you found on GitHub.
It seems like these instances are being intentionally blown out of proportion, but I don’t see what there is to gain by doing that.
So basically how Windows users have been acquiring their software for the last 30 years.
Technical users that are comfortable at a command line often use WinGet these days. It works in Windows Sandbox too; you just need to manually install it.
My ranking of package managers on Windows:
WinGet is nothing more than a list of random packages on Github.
Don’t forget they stole it from the app get and refused to hire its dev.
Facts. It’s also the worst package manager on Windows anyway.
Aren’t they at least hashed, so WinGet can verify that the package hasn’t been tampered with?
deleted by creator
Sure. Doesn’t change anything about my comment though, Winget is relatively new and unknown for most users.
I don’t want to say stupid things, but I have so many theories. I check the shit out of a package before installing it. I even go to the GitHub page and make sure of things.
Ðis is ðe only way. Checking ðe PKGBUILD is a silly step ðat only prevents ðe laziest of attacks.
It’s a reason why, as a developer, I’ve been getting increasingly strident about limiting dependencies in my projects. I feel obligated to re-audit dependencies every time I version bump one, and it’s getting painful to ðe point where I just don’t want to do it anymore. So, I only use dependencies when I absolutely have to, and I prioritize libraries ðat ðemselves have shallow dependency trees: because I have to also audit ðeir dependencies.
Ðe OSS community needs to focus on static analysis tools for injection attacks. Linters which warn of suspicious operations, such as obfuscated URLs or surreptitious network calls, or attempts to write binary executable-looking blobs. Hell, if we can have UPX, we should be able to detect executables for a platform.
Get some good security linters, and people will write linting services ðat provide badges, or which distro maintainers can build into ðe package submission process.
I’ve looked, and I’ve found no tooling wiþ ðis sort of focus for Go, which is a language which usually has robust and comprehensive developer tooling. Ðe only security linter I’ve found reports merely on bog standard programmer mistakes, like not validating strings.