Arch Linux AUR Repository Found to Contain Malware

152 点作者 fdm将近 7 年前

16 条评论

cmiles74将近 7 年前

From the article:"This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories."LOL. Why should this only apply to Linux users? We should all be wary of downloading random things from websites.AUR has always been labeled "user submitted", but I guess it's easy to forget that some "users" are really out to cause harm.

评论 #17501695 未加载

评论 #17502793 未加载

评论 #17502310 未加载

pandasun将近 7 年前

The article mentions 3 infected packages. But it only lists one: acroread.Then the comment section mentions the other one is libvlc.But the mailing list says this is something different: <a href="https://lists.archlinux.org/pipermail/aur-general/2018-July/034158.html" rel="nofollow">https://lists.archlinux.org/pipermail/aur-general/2018-July/...</a>So then there's still two missing.Here's what I've found that he maintained:1) balz (<a href="https://archive.fo/TjIQI" rel="nofollow">https://archive.fo/TjIQI</a>)2) minergate (<a href="https://archive.fo/TjIQI" rel="nofollow">https://archive.fo/TjIQI</a>)3) acroread - as mentioned (<a href="https://my.mixtape.moe/kvfpmk.png" rel="nofollow">https://my.mixtape.moe/kvfpmk.png</a>)So those "balz" and "minergate" could be the missing two.Edit: seems like archive.fo is temporarily down, so it will just be my word for it right now. Sorry.

评论 #17503309 未加载

评论 #17501916 未加载

Tharre将近 7 年前

For the people interested, here's the actual commit from the acroread package:<a href="https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id=b3fec9f2f16703c2dae9e793f75ad6e0d98509bc" rel="nofollow">https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id...</a>

评论 #17502685 未加载

评论 #17503172 未加载

westmeal将近 7 年前

Doesnt everyone know AUR packages are inherently unsafe? if you wanted to make sure they werent up to something you could read the pkgbuild

评论 #17502542 未加载

评论 #17507817 未加载

Aardwolf将近 7 年前

Unfortunately lots of things one actually wants are on AUR, things like jpeginfo, golly, steam-fonts, simple-mtpfs, jslint, ...A case for putting more things in the main Archlinux repositories!

评论 #17502307 未加载

评论 #17502445 未加载

jdlyga将近 7 年前

This is exactly what we've been preparing for. Don't use yaourt, and read those diffs. I know a lot of people don't do this, but it's important.

评论 #17502074 未加载

评论 #17502782 未加载

评论 #17502548 未加载

tombert将近 7 年前

I mean, is this new information? I always look at the upvotes on the package to see if it has been tested.

评论 #17501619 未加载

评论 #17501959 未加载

评论 #17502526 未加载

arendtio将近 7 年前

As an Arch user this bothers me since a while. On the one hand the AUR contains packages I don't want to miss, on the other hand installing and updating from the AUR is tiresome.Recently I switched to the AUR helper aurman which is great, but it still doesn't free you from reviewing PKGBUILD changes. Sometimes I wish there would be some kind of review process where popular packages could be labeled as 'reviewed' (e.g. by experienced/trusted arch users) and an (optional) option within the AUR helpers to accept 'reviewed' packages without presenting the PKGBUILD for review.I know that wouldn't be perfect either, but at least it would increase the efficiency and as a user one could focus on the less popular packages where it is unlikely that someone else will find some malware.

评论 #17502701 未加载

jolmg将近 7 年前

Is there a public database of linux malware found in the wild that one can study to know what kind of things to look for when reviewing PKGBUILDs and other open source code?EDIT: s/repository/public database/

评论 #17502713 未加载

etu将近 7 年前

I'm surprised that this hasn't happened a lot earlier to be honest. It probably has but haven't been picked up by someone. It's a user submitted repo with over 44000 packages (source repology [0]).It has happened to the snap store recently, but AUR has been around for ages.[0]: <a href="https://repology.org/repository/aur" rel="nofollow">https://repology.org/repository/aur</a>

jancsika将近 7 年前

> Following the discovery all dangerous instances were removed and the user account suspended.I heard they're making a change to the policy for uploading packages to AUR. The next time this happens the user will automatically receive an email that says, "Hey, don't do that."

delbel将近 7 年前

I tried installing Arch Linux, and it was harder then installing SunOS 4.3. The instructions were absolutely wrong. I wish I could give it another try, but I just don't have time to experience the wow's of the early 90s just to get a browser up.

评论 #17508585 未加载

lerax将近 7 年前

Not a surprise.

评论 #17501772 未加载

relyio将近 7 年前

I don't know a single Arch Linux user who doesn't check the PKGBUILD of the packages they get from AUR.

评论 #17503396 未加载

sandov将近 7 年前

I really hope one day Linux stops using package managers and switches to single-file binary installers as in Windows and Mac. Until that day, I won't feel completely comfortable using Linux.Package managers are an inherently flawed way to distribute software, instead of obtaining your programs from whoever developed that program you get it from your OS developer!.

chimeracoder将近 7 年前

The Arch User Repository hosts whatever people want to upload to it, with basically no proactive vetting whatsoever. In addition, the installation scripts run arbitrary code, a portion of which must run with root privileges. When a package gets orphaned, that means that anybody in the community can take over maintainership of the package.There's a whole lot of trust that has to go on when installing a package from the AUR - and yes, this is a fundamental problem with the security model of Arch Linux, but that's been known for a very long time.Honestly, I'd be surprised if this hasn't happened before with orphaned packages.

评论 #17501770 未加载

评论 #17501628 未加载

评论 #17501768 未加载

评论 #17501459 未加载