I thought the user was complaining about why Archlinux doesn’t inform the AUR users about malicious PKGBUILDs on the front page of their site and not seeking support for a particular issue the may have with their Arch-based distro.
For the former, we cannot do much about here other than wasting a lot of keystrokes, ink and saliva.
For the latter, I’ll urge them to create a new topic for the issue they are facing.
At this point I’m considering maybe looking for a distribution where most of the packages I use are in the default repos. Or I might just switch to Flatpak for some of them except for the ones I can’t live without.
On the other hand, if you simply enable diffs in your AUR helper, all these attacks would stand out in a fairly obvious way on update even if you don’t have any particular technical experience.
after this I will enable diffs in yay, but even with that you have to be meticulous, because they can be shady in a 6 line diff too, for example changing the domain to something similar or the rest of the link that will get a bad file from a server.
I wish there would be a helper for this helpers that do some sanity checks, I know about traur, but it doesn’t do many things or do them well that would have been helpful here.
That’s the beauty of the diff output though, even if it looks similar it screams at you that something changed: Look at it until you find the difference.
i wonder if we could just manually download the bin files, check its hashes if it is correct, throw that to a 3rd party virus scanners.. if they audit it clean. proceed to manually install. will this be a safer move than to just automate?
There’s nothing wrong with that. Running Arch or an Arch based distro requires more time & effort than others, and depending on your free time & needs it might not be worth it. Also, users of other distros are still welcome on this forum.
This is a genuine consideration, thankfully there’s literally zero I need from the AUR, so not directly affected, but every once in a while, there’s a package that’s essentially the difference between a device or service working, and you being out of luck.
An easy to read, color coded diff that clearly shows that nothing changes except the version and the package version and the checksums. Other times you might see changelogs here as well.
These changes and any non-code changes like changelogs should be generally safe.
If anything else changes, it needs inspection. If you have the ability to inspect them yourself, great. If you don’t, there are a couple of things you can do:
Ask someone else to look at it(like us)
If it is a popular, widely used package, wait, don’t update immediately. Give it a few weeks and keep your eyes on the AUR page.
For the record, I have over 60 AUR packages and the time I spend on a monthly basis checking AUR diffs is inconsequential.
I still read the PKGBUILDS during updates but things can still be missed even with diffs enabled or some other way of it something being abused without you being able to see it in a diff. I’m just tired of the AUR feeling more like a security liablity rather than it a useful tool to use for adding to your package availability.
That’s what I’ve been saying to a lot of topics where people say they are leaving EndeavourOS for another distribution.
I didn’t want to leave Arch so I replaced everything I can with verified Flatpaks, removed anything I didn’t use oftten or didn’t really need which doesn’t have a verified Flatpak and any AUR PKGBUILD I can’t live without I kept but I went from using 22 to 4.
Can you give an example of something that could change that wouldn’t show up in a diff? The diffs usually include all the file changes, not just the PKGBUILD.
When using a -git PKGBUILD but then the problem would be the source not the AUR. The other example would be if I came home really drunk one night and decided to update my system and misread the diff output. But not really a really a current example, however some genius could figure out a way or some work around that’s not currently known yet. But either way with 400 compromised PKGBUILDS it doesn’t really feel like the tradeoff for extra packages the AUR is worth the risk anymore.
True! The difference is Flathub seems more controlled than the AUR as we don’t read or hear about Flathub having a compromised packages every other week.
Which doesn’t mean they’re not compromised. Or under attack. Snap has has malware on it and npm is known for malware. Pip also gets attacked regularly. It’s not an AUR specific issue. You have to decide whather the software you want is worth the risk and take what precautions you can.
True but the difference is the AUR is getting a bad reputuation like this, packages from default repos can get compromised too but is very less likely to happen even though it can. The whole point is the AUR feels more like security liability in it’s current state compared to third-party repos where there is more control and some form of auditing going on even though the AUR was never meant to be used as just another package repo.