Comment by craftkiller
7 days ago
> The advantage to the AUR is just that you can reasonably review every PKGBUILD for what you're installing
Simply reviewing the PKGBUILD is not enough for the same reason reviewing a Makefile is not enough: You need to review the source code for _everything_ that is being downloaded and executed on your machine. For AUR packages, that means not just the PKGBUILD but the full source code for the program it is building and the full source code for any of its dependencies.
Hypothetical example: you wouldn't have caught the xzutils exploit by reading the PKGBUILD.
Right, the PKGBUILD only helps you review if you're installing what you intend to - not verifying if what you're installing contains any hacks.
This hack in particular added random npm packages that would have been unneeded/unintentional, and was visible in the PKGBUILDs directly.
No it wasn't? It ran npm install from post install script in another file. If they named it better people probably wouldn't have even noticed so quickly.
True, but looking at a compromised PKGBUILD[0], it looks like it is installing "atomic-lockfile" and "figures". I think 99% of people reading the PKGBUILD would assume those are legit dependencies needed by the program. It's not like it was running "npm install 1337hax0r". Which is why you need to read the source for both "atomic-lockfile" and "figures" (and literally everything else).
[0] https://aur.archlinux.org/cgit/aur.git/commit/?h=pass-cli&id...
It adds npm as a dependency, to a go build?
It changes the contributor email?
to install random npm packages?!
in /tmp?! in post_install()??! With a new random contributor email????
Archlinux is focused on enabling a specific type of user, and certainly ones that can read bash scripts, and understand reasonable depedencies vs unreasonable ones. And even then - this is specifically in the AUR and not a package the distro directly offers.
2 replies →