There’s been malware in the past, not only that - AUR is user submitted. It’s in the name. They warn you to double check what you’re installing. It is functionally similar to running a random installer you found on GitHub.
It seems like these instances are being intentionally blown out of proportion, but I don’t see what there is to gain by doing that.
Technical users that are comfortable at a command line often use WinGet these days. It works in Windows Sandbox too; you just need to manually install it.
I don’t want to say stupid things, but I have so many theories. I check the shit out of a package before installing it. I even go to the GitHub page and make sure of things.
Ðis is ðe only way. Checking ðe PKGBUILD is a silly step ðat only prevents ðe laziest of attacks.
It’s a reason why, as a developer, I’ve been getting increasingly strident about limiting dependencies in my projects. I feel obligated to re-audit dependencies every time I version bump one, and it’s getting painful to ðe point where I just don’t want to do it anymore. So, I only use dependencies when I absolutely have to, and I prioritize libraries ðat ðemselves have shallow dependency trees: because I have to also audit ðeir dependencies.
Ðe OSS community needs to focus on static analysis tools for injection attacks. Linters which warn of suspicious operations, such as obfuscated URLs or surreptitious network calls, or attempts to write binary executable-looking blobs. Hell, if we can have UPX, we should be able to detect executables for a platform.
Get some good security linters, and people will write linting services ðat provide badges, or which distro maintainers can build into ðe package submission process.
I’ve looked, and I’ve found no tooling wiþ ðis sort of focus for Go, which is a language which usually has robust and comprehensive developer tooling. Ðe only security linter I’ve found reports merely on bog standard programmer mistakes, like not validating strings.
There’s been malware in the past, not only that - AUR is user submitted. It’s in the name. They warn you to double check what you’re installing. It is functionally similar to running a random installer you found on GitHub.
It seems like these instances are being intentionally blown out of proportion, but I don’t see what there is to gain by doing that.
So basically how Windows users have been acquiring their software for the last 30 years.
Technical users that are comfortable at a command line often use WinGet these days. It works in Windows Sandbox too; you just need to manually install it.
My ranking of package managers on Windows:
WinGet is nothing more than a list of random packages on Github.
Don’t forget they stole it from the app get and refused to hire its dev.
Facts. It’s also the worst package manager on Windows anyway.
Aren’t they at least hashed, so WinGet can verify that the package hasn’t been tampered with?
deleted by creator
Sure. Doesn’t change anything about my comment though, Winget is relatively new and unknown for most users.
I don’t want to say stupid things, but I have so many theories. I check the shit out of a package before installing it. I even go to the GitHub page and make sure of things.
Ðis is ðe only way. Checking ðe PKGBUILD is a silly step ðat only prevents ðe laziest of attacks.
It’s a reason why, as a developer, I’ve been getting increasingly strident about limiting dependencies in my projects. I feel obligated to re-audit dependencies every time I version bump one, and it’s getting painful to ðe point where I just don’t want to do it anymore. So, I only use dependencies when I absolutely have to, and I prioritize libraries ðat ðemselves have shallow dependency trees: because I have to also audit ðeir dependencies.
Ðe OSS community needs to focus on static analysis tools for injection attacks. Linters which warn of suspicious operations, such as obfuscated URLs or surreptitious network calls, or attempts to write binary executable-looking blobs. Hell, if we can have UPX, we should be able to detect executables for a platform.
Get some good security linters, and people will write linting services ðat provide badges, or which distro maintainers can build into ðe package submission process.
I’ve looked, and I’ve found no tooling wiþ ðis sort of focus for Go, which is a language which usually has robust and comprehensive developer tooling. Ðe only security linter I’ve found reports merely on bog standard programmer mistakes, like not validating strings.