Security of AUR packages? A question, and a proposal if you will

Good Afternoon everyone,

I’ve been an Arch/Endeavour user for only a couple months now, but I’ve been a Linux user and software developer for 15+ years, and now a cyber security researcher/pentester for the past couple years.

I’m writing because I have some questions about AUR packages and maybe how we can ensure or improve the security of them, and what can be done to ensure they are safe.

I’ve been learning about PKGBUILDs on AUR and one of the things that kind of concerns me, is the security of packages. So even if the package was secure at some point, an update from a compromised source can compromise your system. Of course, you can always check the PKGBUILDs before updates to make sure you’re building from the right sources, and then check the sources to make sure they are good, but is there anything else in place that can help with this review process? At least for popular AUR packages?

I’m trying to gather information on what the community things because I would like to develop a package/program, something like a “AUR security helper” or something along those lines, where trusted volunteers can do code reviews to ensure nothing malicious have changed in the package, or the code, and then when your package manager updates from AUR, it can display a checkmark or something that tells you that it has been reviewed by a trusted community reviewer, or instead of a checkmark, maybe a number of how many reviewers have “vouched” for the package, or something like that. IDK.

Like I said, I’m fairly new to arch linux, but as a Cybersecurity minded person, I’m trying to better understand how the AUR keeps everyone safe, if at all, and what can be done to improve the security.

Maybe this can be done for Endeavour OS and make it a distro feature?

Looking forward to learn more and hear your suggestions. Thanks.

People should be manually reviewing the PKGBUILD files before running and installing the packages. No additional layer of trust removes that necessity. I think extra security would be great, but ultimately manual review is a must.

I agree with that, however in cases like older nvidia drivers it’s a good idea to get review by at least couple of experts.

Not many people could handle even updates diff of such huge packages

How safe are AUR packages its a difficult Question to answer now. Once upon a time they were very safe as only Arch users made the recipes. Now unfortunately since the rise of spins and manjaro any tom dick and harry can submit packages to AUR so yes their is potential for rouge packages,

The thing is how can the user trust any package you might submit they can’t, that is where trust comes into it and the Arch users the real Arch users police AUR,

If a user reports a package it is checked, new users submitting a package are also scrutinized, pkgbuilds are randomly scrutinized, I’ve used Arch since 2004, since AUR was born their has been only a couple of cases of malware and they were caught within hrs of been submitted
So one might say quite safe but its down to users remember AUR is designed for Arch users they are on the whole experienced users, they check out pkgbuilds before installing so AUR is totally safe

Users from Arch spins are usually new users, and inexperienced users, plus a few experienced users sprinkled in.
This group have no Arch support and by the whole are just point and click blindly users that believe every one else should look after their security. they are mainly only interested in Arch bragging rights not in maintaining their Arch Linux spins.

No I’m not elitist I’m a realist

multibootusb-git
pamac-aur
timeshift
tutanota-desktop-bin

These are the only packages I use from AUR , are they safe ?
Newbie here

Arch PKGBUILD system is completely transparent, it is designed in such a way that it cannot do anything behind the user’s back. So how safe AUR packages are depends on the effort you put into inspecting them. If you learn a bit about bash scripting and use common sense, the AUR is probably the safest way to install software in existence.

Here is some AUR safety advice: AUR PKGBUILDs

Speaking as one of those ‘other’ users, I have to agree with most of the post you made above

However, I do look - the question is whether I recognize anything! In that regard, for those who aren’t code-familiar, using aura as an AUR helper might be of some assistance. It scans through PKGBUILDs for ‘obvious’ misuses - and any other eyes on the problem are probably a good thing…

I would be wary of “intelligent” code scanners like Aura. Sure, it may catch the obvious malicious stuff, but sooner or later, really malicious people are going to figure out a way to bypass it.

It is much more difficult to fool an informed human than to fool an algorithm.

Very solid advice you gave in that thread. Well done.

Oh nooo!
Not the Dicks!

Depends on human
Most effective attacks are always social-engineering

No kidding - especially when the algorithm is open source! ( even if in Haskell in this case) However, it is like having an automated extra check - perhaps as having an oil pressure gauge for warning is not a substitute for using the dipstick before a trip!

Yes. Edited the post for clarity.

As a cybersecurity researcher and penetration tester, I disagree with this 100%.

99% of the time, during penetration testing engagements, the easiest way in is through the humans.

This answer is great. I feel like it shouldn’t be one or the other (Humans or Algorithms), it should be a combination of both. But IMO, the Human will always be the weaker link.

You are generalising something very specific I said about the AUR to general cases of computer security. As you mentioned in your OP, you have little experience with AUR, so you’re not really in position to disagree, unless you are going to unfairly pressupose that I was speaking in general. I was not, I was referring specifically to the AUR. And as @keybreak pointed out, it depends on the human, hence my addition of the word “informed”.

The AUR is a very safe system, but it is not idiot-proof. It is designed to be safe for users who understand how it works. This is in line with the general philosophy of Arch Linux – it is a user-centric distro, not a user-friendly one. The responsibility for the safety of AUR packages is entirely in the hands of the end users. If you are not willing to live with that responsibility, do not use the AUR.

You are very very wrong about this. Understanding a PKGBUILD is not rocket science especially when I have over 15 years of software development experience and I have built Operating Systems from scratch. In fact, understanding AUR and how PKGBUILD works, is very easy.

In the process of understanding, I identified a vulnerability, and now, I’m talking to the community to find a way to address said issue. But the vulnerability is there, it doesn’t matter if I’ve been using AUR for a month, or 20 years, the vulnerability is objectively, and measurably there. And if you want to get really technical about it, I’m open to get really technical if you prefer. And then you can tell me your solutions.

Is it with the general philosophy of Endeavour OS which is to make Arch accessible and easier for those less technically inclined? Unless I completely misunderstood the purpose of this project, then my effort to help the community is misplaced.

I know how to check the PKGBUILDS, sources, etc, myself. My point is to help others who are new.

Easy guys - there’s good thoughts for the ‘rest of us’ from you both - let’s stay on the user-friendly side of EnOS…

There are no security vulnerabilities in the AUR, you are spreading disinformation.

The AUR is just as safe as using the shell. It is as safe as the user makes it. Yes, an ignorant user can cause damage to their system. That’s an issue with the user, not the system. If you want walled gardens, use MacOS.

If that’s your goal, then teach newbies shell scripting and how to build packages, you know, actually useful skills, instead of complaining about a system that needs no fixing.

Feed my paranoia people, feed it.

This is not true, and even the arch Linux community addresses the vulnerabilities in several posts over there. But I don’t have the time in my hands right now to make a detailed post, but I will tonight, and educate a veteran as well.