Comment by yowo

2 days ago

This is like saying a user who clone a random git repo is not to blame and git-scm should do more to prevent cloning of malicious repos. If it is not official, it is your job to review, if you dont like it, use iOS instead of Arch Linux.

If you crash your car, you are liable for the accident. If you aren't ready for that, take the bus.

More power = more responsibility

19 comments

yowo

Reply
badgersnake  1 day ago

> If you crash your car, you are liable for the accident.

Because I didn’t go through all the blueprints and find the flaw that led to the crash. This is a dumb argument. It’s also the one the AUR appears to be making.

  • homebrewer  1 day ago

    No, it's completely valid. The arch home page warns you that you're the one responsible for your system, and get to keep both pieces when something breaks. Everything is assembled with this philosophy in mind. This message is reinforced ten times more before the system is even installed and is up and running.

    If this is not for you, that's fine, but it's been working very well for some of us for... decades, at this point? I'm not amused by the amount of people here wanting to turn arch into another Ubuntu, most of them having zero familiarity with how the AUR works, or arch more generally.

    • Barrin92  1 day ago

      >but it's been working very well for some of us for... decades, at this point?

      but it's worth asking why it's been working well. Has it been working well simply because it's been a niche ecosystem, or even because you wouldn't have known if it didn't because nobody did security audits?

      The Arch distribution model, which operates like the Javascript ecosystem, as in having a barebones core and then a zoo of unregulated third party community packages does not seem fine these days. As it became more popular it has naturally drawn attention and from that moment on you're just screwed because you have no security infrastructure. Arch pretty much lived off security through obscurity.

      And in particular with the popularity of these spin offs, I forgot what the name of the tiling wm thing is that got very popular, I think a lot of users are not aware that they're doing the software equivalent of buying medicine off craigslist

      3 replies →

naturalmovement  2 days ago

Uh but this isn't random git repos these are packages available through the OS's repos. Why does the AUR even exist if not for malware distribution?

It's an uncontrolled free-for-all disguised as a watering hole. If they can't do the most basic of housekeeping it should not exist full stop.

  • zeta0134  1 day ago

    They *are* doing the basic housekeeping. What do you think this announcement is, if not exactly that? AUR is very clearly documented as user-submitted, and automatic installs from it are heavily discouraged by the maintainers for this reason. Malware aside, there is very little quality control, and a poorly made AUR has the potential to break the system pretty badly. (Though, in my experience, most of the useful AUR packages are trivial to remove if something goes wrong.)

    The officially maintained repositories (which are part of a default installation) were not affected. Users need to go somewhat out of their way to use an AUR.

    The definition files are all plain text and not especially complicated. It's not too difficult to glance at the file before doing an install to get a basic idea of what it's about to do, just like you should do when running a random shell script or cloning a random git repo. Indeed, most AURs are implemented by cloning an upstream git repo and configuring it so it can be built. The same basic threat model applies: Do you trust the install script? Do you trust the upstream URL whose code it is about to compile?

    • a-dub  1 day ago

      i read all the pkgbuild diffs, still doesn't give me a good sense. sure, i can verify that it's coming from the official repo but even then there's no guarantee that there isn't junk in there or that the git ref is actually pointing at the right thing.

      it would be better if there were stronger community moderation and review that has stamps i can trust rather than this idea that eyeballing build scripts is a reasonable security posture.

      3 replies →

  • matheusmoreira  1 day ago

    Nothing is "disguised" here. Arch Linux makes an enormous effort to warn that due dilligence is required before installing things, and to dissuade users from using the User Repository at all, to the point of not offering package manager support for it. The wiki even cites previous instances where malware was discovered in the AUR packages.

    The only way you could possibly not be aware of the AUR's nature as an "uncontrolled free-for-all" is if you didn't read the Arch Wiki, and anyone who doesn't read the Arch Wiki should not be using Arch Linux to begin with.

    "Uncontrolled free-for-all" is exactly the status quo of programming language package managers such as npm and pip. It's just as easy for total randoms to sign up for an account and push packages on those services as it is to push a package to the AUR. Only the AUR made the lack of trust explicit and part of the culture.

  • Hackbraten  2 days ago

    > these are packages

    PKGBUILDs are not packages. They’re (user-contributed) instructions on how to build packages.

    > available through the OS's repos.

    No. The AUR is a platform, similarly to NPM or PyPI, that allows users to upload PKGBUILDs. It is not part of “the OS’s repos,” and it says that loud and clear, multiple times, including on the front page.