new | ask | show | jobs
sam_lowry_ 4 hours ago  [ - ]

As someone already explained in a sibling comment, Arch Linux AUR packages are simple shell scripts that download source code from upstream, apply patches and install.

I review them every time I have to install from AUR.

bawolff 4 hours ago  [ - ]

And what if upstream is problematic? Even if it stops this particular attack, reading just the AUR file feels like fighting yesterday's war. I don't think advice to the effect of, just read the parts of the code that have been used in attacks in the past but blindly trust everything else, makes a lot of sense.

exceptione 3 hours ago  [ - ]

  > And what if upstream is problematic?
That would be the same problem for official packages. Unless I am mistaken, the difference between maintainers for the official repos versus AUR, is that the former is a trusted/vetted person. But afaik, they also just package upstream software. I doubt they will read through tons of commits to see if there might be anything nefarious there.

It would be better if software would be forced to have something like a very advanced manifest file, with requested permissions. Malware has to eventually communicate with endpoints, so a declared whitelist of endpoints should definitely be part of such a manifest. Some wrapper program could set up a namespaces that allows just what is requested. Any software that requires `endpoints = [.*]` would make it obvious to the user that it is a really dangerous piece of software. Your code editor should not ship like that.

The first thing I can think of in this direction is flatpak, but that is really coarse grained, with defaults that are very lax. Also flatpak-like solutions do not expose an api to the wrapped application, which is both a pro and a con (a con when you consider installing application plugins requiring further permissions).

Hackbraten 3 hours ago  [ - ]

> And what if upstream is problematic?

Then don’t install the package.

It’s on you to decide whether you trust upstream or not.

You’re free to use any scanner you want on the upstream sources if it makes you feel safer. (I’m currently working on a makepkg extension that allows just that.)

The core and extra repos are curated, and every package maintainer is doing their due diligence (and more) to protect the users. But on the AUR, nobody is going to do that work for you.

exceptione 3 hours ago  [ - ]

> doing their due diligence (and more)

Do you know how? This sounds like an unpractical high amount of time consuming task.

embedding-shape 3 hours ago  [ - ]

It really isn't, made a short tutorial just for you (and other's): https://news.ycombinator.com/item?id=48518704

exceptione 3 hours ago  [ - ]

[dead]

Slothrop99 4 hours ago  [ - ]

If I understand, the malware is installed via npm from some subshell. But yeah I totally believe you have a detailed review of every package-lock.json and etc.

sam_lowry_ 3 hours ago  [ - ]

What is npm?

I installed dwm from AUR once, then Prusa slicer.

Dwm PKGBUILD lists patches, so it's kind of obvious one needs to check them to choose what patches they want.

Prusa slices is downoaded from the official website.

I think you live in a different world ;-)