Comment by kcyb
2 days ago
As an arch user, I would always skim the PKGBUILD file of AUR packages to see if they install the software they claim to install from official sources and if there's something obviously fishy.
2 days ago
As an arch user, I would always skim the PKGBUILD file of AUR packages to see if they install the software they claim to install from official sources and if there's something obviously fishy.
The BSDs prevent this by never having allowed random jamokes to upload Makefiles into the ports system.
Yeah, I've prevented this locally too by never building such a platform in the first place, always the best solution!
Jokes aside and just in case, you do realize ports and AUR have two very different models? Ports is more similar to the official Arch repositories, which obviously doesn't suffer from the same problem, and AFAIK, there is no BSD-equivalent of AUR.
BSD is cool and useful for lots of reasons, but comparisons based on misunderstandings helps no one :)
There is pkgsrc-wip which is similar but run by one person who does at least some checking up on new users. AUR is just gigantic in comparison; pkgsrc-wip has about as many total packages as AUR has updated in the past week.
https://www.pkgsrc.org/wip/
2 replies →
In this case even if you skimmed it you likely would have missed it since the malicious change was adding a new dependency called "atomic-lockfile".
I'd be surprised if you did it as a Debian user!