Been using EndeavourOS for six months now and I’m quite enjoying it. Lately I’ve done some reading about how to check AUR packages for shady things. In that process I started wondering how common such issues actually are. My brief search managed to turned up only one serious incident with 3 packages from 2018: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
I would like to ask you, old-timers: What is your personal experience with harmful AUR packages?
I don’t think many people will have personal experience with malicious AUR packages. There have limited times in history where it has actually happened and it was on packages that were not used by that many people.
Of course, that doesn’t change the fact that it is a good idea to check your AUR packages before installing/updating them. Some AUR helpers make that easy to do.
The AUR is one of the few community repos that lets you do that which is why it is probably one of the safest community maintained repo in the Linus community when used correctly.
Welcome “home”!
I have been here for about a month, so, not for me yet. But i did not come across somebody mentioning such thing.
Maybe old packages, outdated… that’s all what I came through till now.
Even though I had one case, it was updated thanks to @dalto and became up to date. You may look at @dalto 's post here Make Dolphin Use Recoll "kio_recoll" Installed - #64 by dalto
What I’m going to say here is something weird, I don’t have proves, and I could be wrong about it.
I’m not sure if I should say the name of the application that the problem happened, because I could be pointing my finger to an inocent developer, so I won’t say, if you want to know you can send me a private message ok?
Also keep in mind that I use a lot of AUR packages, and what I’m going to say below only happened once, and with only one package.
I installed this package and everything was fine but a few days later I received an email saying that my account for that app was accessed by an IP address in USA, which is impossible, that worried me a little bit.
So, decided to not use that app.
Sorry for not providing further details, I want to be fair because I really can’t prove anything.
Indeed, it also could have been a coincidence, maybe my account/password for that app leaked by other means. Can’t really say.
Changing my password and not using that app anymore solved that, that’s all I can say really…
It is unlikely to happen with very popular packages, but with more obscure ones, it’s quite possible.
What is more likely to happen is something unintentional, like a space in a rm command that removes more than intended. But such things will get spotted pretty much instantly and flagged by the community.
A situation to keep an eye out for is when a popular package gets orphaned and picked up by some other maintainer. This is the best opportunity to do malicious things.
When it comes to real malware, it would seem to me that it makes more sense to embed it into the software itself, as it is less likely to get spotted there than when it is in the PKGBUILD (even so, it will get spotted pretty soon, if the software is popular – with disastrous effect to the developer’s reputation). Perhaps the sneakiest thing would be to change the URL in the PKGBUILD to lead to a malicious version of the software. If the URL is similar enough, it might be days before somebody spots something is off.
