Checking AUR packages

Whenever I read a post about the AUR it comes with lots of red flashing warning signs that one should always check those apps before installing, which makes perfect sense to me. But I am not quite sure what red flags I should be looking for.

Using the Bitwarden update which happened to come in today as an example.
What information can and should I check to help me come to a conclusion that this is a valid package?
The URLs data gets downloaded from is an obvious one, in this case it points to Bitwarden’s official github repository, so check passed in my opinion.
I could obviously test the URL in a browser, download separately what’s behind the URL and check what’s in the package. Investigate “${pkgname}.sh” but that’s going to get laborious quickly.

Or maybe a thorough test at first install and then just cursory?
How do people here go about checking their AUR packages?

Aur (1) bitwarden-1.25.1-1

:: Proceed to review? [Y/n]: 

:: Downloading PKGBUILDs...
 (1/1) bitwarden-1.25.1-1                                                                                                     [----------------------------------------------------------------------------------]
 PKGBUILD | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/PKGBUILD b/PKGBUILD
index 9c83867..613ff87 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,9 +2,9 @@
 # Contributor: Milo Gilad <myl0gcontact@gmail.com>
 
 pkgname=bitwarden
-pkgver=1.25.0
-pkgrel=2
-_jslibcommit='f80e89465ffc004705d2941301c0ffb6bfd71d1a'
+pkgver=1.25.1
+pkgrel=1
+_jslibcommit='7cc23dab72e505ab3cc255f2d035dc0c79ec7a53'
 _nodeversion='10.24.0'
 pkgdesc='Bitwarden Desktop Application'
 arch=('x86_64' 'aarch64')
@@ -19,8 +19,8 @@ source=("${pkgname}-${pkgver}.tar.gz::https://github.com/bitwarden/desktop/archi
         "package.json.patch"
         "${pkgname}.sh"
         "${pkgname}.desktop")
-sha512sums=('6e8afb290030c7e23d5050ec88cd37a6600fd51b5452f5ec571ace35b95012ab8c19a3c2c3b76a981d0e37bdee08439d98d1c39bc169374dfec401af974ec6e7'
-            'e0a80a2088af56b68494356856101574b9c9aef3cad9ef384cd61ee45eb3cb398346604c72cf8ea6522f6747a08ab25d0590d9d17e4116bcdc6726864f95b506'
+sha512sums=('c9ea45df3dbdf057ea26f98a0b43ffea97c7d042f595505ccf067d59558556f2392b551e6b88cf4efdc6f9b16f58f4dbefe631386342a59d94ef0e9f0403c9c7'
+            '5aa3ede161fb717baad4da559b8f39d6fee3f32c430ea56d2698145ce90af0ee70fb887df41c355747bc9c1edc3f86b7d8a070764a0464682b374404c8bb1ef8'
             'cbe6dff699de7a274b7c5ab1dd25a348443dd3dc50eb8b2290c8c300b6b3a560271aef773b2cd55d25ccaa1527ed25d5626310f6da342f2893d2f63212bd2814'
             '724b548688e2af1d8d25e6ebe6e35831e891453f2df011e5fa757b57fcbcfef3c171510be4537652891441c65121bd9766f372f82d3edd5971fb77b726409575'
             '05b771e72f1925f61b710fb67e5709dbfd63855425d2ef146ca3770b050e78cb3933cffc7afb1ad43a1d87867b2c2486660c79fdfc95b3891befdff26c8520fd')




:: Proceed with installation? [Y/n]:

That’s a good question, and also quite challenging to answer, in general. Here are some thoughts, surely not everything about the matter, but a starting point maybe.

At least when starting to use an AUR package for the first time, it is worth doing some research.

If and when you want to make sure the AUR package is valid, here are some things to check (and evaluate them together as a whole):

  • general reputation of the package (see https://aur.archlinux.org/packages/, votes and popularity)
  • update frequency of the package (if the last update was years ago, I would probably look for an alternative); however, this is not easy to judge
  • direct comments about the package (e.g. https://aur.archlinux.org/packages/paru/)
  • dependency packages, especially if they are from AUR
  • if the checksum variable (e.g. sha256sums) contains word SKIP, then the related source links should be checked more carefully as they are not automatically verified
  • all package files included (PKGBUILD and other files)

For example:
https://aur.archlinux.org/cgit/aur.git/tree/?h=timeshift
There may be more files to check than only PKGBUILD, like timeshift.install.

In all files, check if they try to do anything suspicious. Especially, check

  • all links they use are valid, and point to the official and trusted site of the software
  • the included files/scripts don’t do anything suspicious or out of order (e.g. encrypt unrelated files or mess with the firewall…)

There are so many things that a malicious package can do.

And after checking, it is up to you alone whether you trust the package or not.

The comforting thing is that the vast majority of AUR packages seem to be reliable.
But don’t take my word for it, do your own research! :wink:

7 Likes

A very comprehensive response, thanks a lot @manuel!

First and foremost you have to decide whether you trust this guy or not.

Well, if I go by this I can’t install any AUR package, because I don’t know any of the maintainers?

Here is my recommendation for installing a new AUR package assuming you have a very low risk tolerance.

  1. Do you trust the maintainer(s)? - If you do, then you don’t really need to go any further on this list
  2. Check the votes and popularity - This just tells you how widely used a package is. However, that is useful. With a package used by many users there is a much higher chance someone will notice if someone publishes something wrong/malicious.
  3. Review the most recent couple of AUR comments - You are just looking for major red flags
  4. Check the source array - Now you need to check everything in the source array. You need to do this in a way that makes sense. See below for how I would do it as it relates to your specific example.
  5. Check for the existence of an .install script. These are executed as root by pacman at the time of package install.
  6. Review the PKGBUILD itself. Mostly you are just looking for things like calls to sudo/su/pkexec or something extremely out of place.

OK, so now lets use your bitwarden example and walk through these steps.

  1. Let’s assume we don’t trust the maintainer, otherwise this will be a very short example :laughing:
  2. The votes(67) and popularity(3.06) are high enough that to assume the package is fairly widely used.
  3. Nothing concerning in the recent comments
  4. Now we can check the source array:
source=("${pkgname}-${pkgver}.tar.gz::https://github.com/bitwarden/desktop/archive/v${pkgver}.tar.gz"
      "jslib-${_jslibcommit}.tar.gz::https://github.com/bitwarden/jslib/archive/${_jslibcommit}.tar.gz"
      "package.json.patch"
      "${pkgname}.sh"
      "${pkgname}.desktop")

For the first two, I wouldn’t actually download and check them, I would just validate that “https://github.com/bitwarden” is the official bitwarden github. If it is, I think it is reasonable to assume those are safe. If you don’t trust the software provider, you probably shouldn’t install the software to begin with.

The next 3 need to be reviewed:
package.json.patch - It just removes a postinstall command
bitwarden.desktop - It just runs bitwarden-desktop
bitwarden.sh - It just lanches bitwarden

I would say those are all pretty safe

  1. There is no .install script
  2. The PKGBUILD looks fine to me. I don’t see any red flags.

To me, that package is pretty safe.

As it relates to updates of AUR packages, I think it is reasonable to only review the diffs. In most cases the changes between versions are small so it only takes a few seconds and any good AUR helper will show you all the package diffs.

SIDE NOTE 1: Nobody should feel like they have to do all these steps. This is only intended to help people with a low aversion to risk. Don’t read this and think “This is scary so I am just going to install a binery package from somewhere else”. That probably is actually higher risk. Also, steps #2 and #3 above are worth doing even if you aren’t comfortable with the rest.

SIDE NOTE 2: I almost always use AUR packages before considering any other option. However, bitwarden is the exception to this for me. That package is so ciritical to my security that I only use the official appimage. It is self-updating and can be downloaded directly from bitwarden.

8 Likes

It is probably worth noting that for *-git packages these will always be SKIP and only rarely receive updates. This is because they usually just pull the latest source from the source repository. In this case, it is normal for them to appear as if they haven’t been updated for extended periods of time.

2 Likes

Votes are only useful if you’re using something that’s used by a lot of people. Very few people vote.

Otherwise, I agree.

Well, you can help change that. If you like a package and think it should be included in the official repos, vote for it. Also, if you notice anything malicious in an AUR package, report it. We all can and should help make the AUR better for everyone.

3 Likes

I vote for everything I use. I even vote for my own packages.

3 Likes

Sorry for the noob question, but in which AUR helper do you get the Proceed to review? option? Is it something like Diffs to show in yay?

That screenshot is from paru: https://aur.archlinux.org/packages/paru/

1 Like

I noticed the vote link a while back but had no idea what “vote for this package” would actually do? Actually, still not sure where these votes would be used?

Edit: Voted for paru, just to try it out, but still none the wiser :slight_smile:

The votes are use to determine what should be a candidate for adding to the Arch repos.

That being said, I don’t think there is much chance that paru will make it there. :slight_smile:

1 Like

true no one of AUR helpers are in the repositories if a am not wrong, arch will not add any of them.

The first thing I do on checking trust on an AUR PKGBUILD is to check the link to sources, and see if it links to original sources of the app. and then I do check PKGBUILD e.t.c. if I see any strange stuff inside… and sure checking comments and last update and votes…

1 Like