Malicious AUR packages

I know at least one instance where the attacker used the former maintainer’s old clear name as user name.

This has always been mind boggling for me too. Like why? And if it’s big no no, why create option for something like AUR in first place?

It’s like Debian would have link to unofficial repo on their front page and then they declare that it’s completely not supported or maintained by the project. :distorted_face:

It’s a bit like a gambling site that advertises rehab at the same time :rofl:

Part of the problem is that some of the packages in the AUR are ones that the individual Arch maintainers no longer wish to maintain, but are actually popular programs that are in the Debian, Fedora and Ubuntu repos. That’s the case for seven of my AUR packages, and for another two the developer provides their own repo for Debian/Fedora/Ubuntu.

If they wish to relegate the importance/prominence of the AUR, they should bring more packages back to the main repos, and leave the AUR to just the weird & wonderful.

They host a place where users can share content. They don’t take responsibility or ownership of this user created content.

Is it the responsibility of the forum mods to review every code snippet here? Could be doing something malicious…

I’m not certain how sharing code snippets compares to hosting a place that contains packages that are no no according to devs but then given a link on the front page.

It’s completely different thing to smash code from the forums than making a repo full of packages with branding of the distro and then wash hands from all responsibility.

And I don’t have anything against Arch as distro. This is simply something that I think should be done in some different manner.

Also as @r0ckhopper said, why ditch packages that may be important to users and push them into unofficial “repo” and then mock people when they have to use them and face issues?

In convenience but not functionally. Arch could shut down the AUR, then people start to share scripts in the forum how to easily install applications not in the repo, and we are back at square one.

They may be important to users, but apparently they are not important to the Arch maintainers. Are there a few dozen packages that imho should be in the official repos: Yes. But who decides about the 100k other packages? Usually if they become important or popular and somebody is willing to maintain them, they are picked up.

I don’t see anybody mocking people.

Arch is an OS for competent users. The AUR is perfectly safe if a user understands what it is and inspects the PKGBUILDs (assuming the user has the capability of understanding a PKGBUILD).

Arch is very clear about what the AUR is (and isn’t). There are warnings in the Arch wiki and on the AUR landing page. It’s user-created PKGBUILDs.

If you’re not capable of checking the PKGBUILDs in a competent manner, you shouldn’t use the AUR.

https://wiki.archlinux.org/title/Arch_User_Repository

AUR helpers (yay, paru, etc) are not officially supported. The fact that your Arch-based distro includes an AUR helper by default is what you should be critical of. The default inclusion of yay - besides keeping users from understanding what the AUR is and how it works - promotes the idea that the AUR is just another repo. It isn’t.

I was not talking about mocking here. I was talking about the mentality of some Arch users in general (those who lurk in the Arch Forums) and their attitude towards users who ask help after installing something from the AUR.

YAY to that!

yay-bobsburger-4029662118

I agree with this. My gripe was mostly about the fact that Arch has link to AUR in their front page, but don’t have any info about current issues with AUR.

I find this little bit odd.

See here: https://wiki.archlinux.org/title/Arch_User_Repository

Note

If you plan to use AUR repository, it is highly recommended to follow aur-general Arch mailing list which has been used for security warnings in the past.

I know this, but why there can’t be an announcement in front page?

There can be, but there isn’t. It’s traditionally been handled by the mailing list, which is highly recommended for just this thing.

Archlinux is a DIY distro. It provides you with the building blocks and the freedom of choice how you use them to build YOUR system.

Now, if you choose to pick up pieces from outside the official repos, like AUR, they care to inform you about it on AUR page of The Wiki.

image

image

If someone has chosen to use Arch, they are in charge of taking responsibility for their own system and educate themselves.

While I agree with the fact that using the AUR could not always be safe , the question I have should you offer the users of e.g. “older” Nvidia hardware packages coming from the AUR or just say , that support has stopped for this hardware because there is no possibillity to use the “official” repos. Don’t you enhance the feeling ,from users that don’t know better, that the AUR is just another (huge) repo. Also if using the LTS kernel to get hardware support (e.g. DKMS packages) are needed , and raises the same question.

Educating themselves requires information. If information is located in the basement of the council buildin, behind locked door and there’s no directions to it, then it’s hard to learn otherwise than the hard way.

Once again, I’m simply pointing out that the information should be known is not available on the front page, even that it should be right now.

Here is the direction to the basement: ArchWiki

And here is the direction to where you could turn to for airing your grievance and proposing some constructive suggestions for betterment: Arch Linux Forums

Here, it seems you have picked the wrong tree to bark up at .

Once again, I’m talking about informing people about malicious packages. This doesn’t answer to it. I have been all the way talking about informing users about flood of malicious packages into AUR. It could be a single paragraph.

I think we are talking about two different trees.

To any EndeavourOS user who is thinking of doing this - don’t. The Arch forums are for Arch users, not for users of Arch-based distros.