Maybe maintenance of packages shouldn’t just be handed over to newly created accounts. This is a design flaw on AUR’s part. As Linux popularity rises, these types of attacks will just keep growing. There should also be some sort of system where it is easy to verify that the maintainer of the package is also the actual developer. Like brave-bin has brave has the maintainer who are also the creator. Just give a green check mark to them or something.
Or maybe don’t use AUR blindly? You’re doing the equivalent of sudo curl --- | bash. Who knows what the script is doing. So only do it if you truly trust it. That’s why we have warnings plastered all over. That’s also why a warning label and sticker exists. And this is precisely the reason easy no user input AUR helpers are greatly discouraged
Plastering warning labels everywhere is a cheap way to shift 100% of the accountability onto the user. Security should be built into the AUR’s design (throttling new accounts, forcing forks for orphaned takeovers or maintainer-developer verification), not outsource your job to the users as a reading assignment before every system update. Humans are the final layer of defense not the first.
Or maybe don’t use AUR blindly? You’re doing the equivalent of sudo curl — | bash… So only do it if you truly trust it.
There is a massive difference between blindly curling a random script from the open web and using a centralized, organized community repository. Yes AUR helpers are not recommended but they exist and are used by majority of Arch users and you can’t expect the user to know code and pkgbuilds especially when distros like CachyOS make it so damn easy to install the OS with AUR being just a checkbox away.
You said it yourself that it is a community repository. No difference between that and the internet forum. You are putting the burden of accountability on the maintainer that way. Which I would remind you, is unpaid unlike say, github and npm that HAS a financial means to do a lot of security implementation. Yet those platforms still fail to do it.
Also, humans ARE the first layer of defense. Because anything you do on your device (on linux anyway, and specifically arch) is YOUR decision. Antivirus and everything else should kick in when the human fails.
You are normalizing people downloading things off the unvetted internet like on windows. Linux has a vetted repo already. THOSE are what people should be using and I’m fine with if those are being blamed. Everything else is USER due diligence. That is why the existence of easily installing malware like limewire does not justify blaming the platform. Or do you also blame torrenting site when they are chock full of malware?
Fine agree with all of what you say. But still the AUR is the only repo where this happens majority of the times. So what to do next? I am sure the solutions I mentioned in a comment below are not that difficult to implement.
Sure, your proposed solution is a good way to weed out the low hanging fruit. But I don’t like that it may create friction for normal users. AUR was never meant to be a FOSS project on its own with a full time maintainer that maintains PKGBUILD and the infra.
Like I said before, it is more akin to an internet forum and pastebin more than a full fledged package repository. And to be fair, it isn’t a package repo anyway. It’s like a cmake / makefile sharing site. Building and packaging for arch is just that easy compared to say, debian.
If people want to use a repo, there is chaotic aur. Maybe that could be the way too. A dedicated community project to vet the AUR. Or the project maintainer itself could provide a pkgbuild directly on their repo.
Just don’t ever blame the maintainer for providing a place to store something for free and open to anyone. Especially if it is your choice to get something from said place and be surprised that it is malware.
Maybe maintenance of packages shouldn’t just be handed over to newly created accounts. This is a design flaw on AUR’s part.
That is the whole purpose of AUR, users can create and share packages with minimum fuss. That does not mean that it is a good idea to run the code of some random guy on your computer.
But open source has always worked like that, by code sharing and collaboration - on tapes, on FTP servers, on Sourceforge or github and today on codeberg. The way the Arch User Repository (this is AUR spelled out) makes this easy is great!
Just don’t run random code that you don’t understand, and cannot reasonably trust.
Just don’t run random code that you don’t understand
I don’t understand any code so does that mean I shouldn’t use any software? that is 99% of the world.
whole purpose of AUR, users can create and share packages with minimum fuss
This doesn’t take away responsibility away from the Arch team. I can manually review pkgbuilds all day trying to understand no problem but expecting the user to do it every update is stupid. At some point the user will just start to trust that package maintainer. I already mentioned few steps that the Arch team can take in a comment below.
I am not talking about the code. I am talking there are basically zero security measures.
Edit:
Demanding to do more work from volunteers which already do a lot of work for free is rude. If you want something done - do it yourself
Then don’t make the platforms in the first place. This is such a stupid argument. It’s like someone creating a nuke but then ignoring the security measures and telling the rest of the people to take care of it. Genius. Should stop asking people to switch over to Linux as well then. Might as well I should just start bad mouthing and defaming Linux because users are left on their own by a hostile community.
Without the AUR Arch becomes a third world country distro because the official repos have only the basics.
Arch has 17,000 packages and is one of the largest distros. If you want more, you can use Debian, (or maybe NixOS, but you won’t get the same quality).
I am gonna get a lot of hate for this but the AUR flaws are hidden behind a legal warning of “At your own risk”. They just don’t want to take the legal consequences for this. That’s why there are basically 0 preventive measures for detecting bad actors and preventing malicious attacks.
I can think of some solutions:
If a package is orphaned then let a potential maintainer just fork it and flag the original for deletion. So the user who has actually installed the old package and want an update will manually go out looking for the updated one instead of just doing a yay -Syu one day and getting malware on the system.
If the developer and maintainer are the same for an AUR package, let them maybe add a ArchWiki style captcha, whose output can be added to the upstream repo like in .aurverification file, which can be detected by AUR when putting in the upstream repo URL and the maintainer must verify with that captcha every 6 months or so just to prove active development. If they fail to do so, mark the package as abandoned or unverfied.
Newly created accounts will have a cooldown of a week to add a new package to the AUR (I don’t know if this exists already as I haven’t looked into it). And they can only create one repo in a month until a year has passed. They can takeover or fork orphaned packages only after a year and if they are maintaining at-least one repo of their own.
Maybe maintenance of packages shouldn’t just be handed over to newly created accounts. This is a design flaw on AUR’s part. As Linux popularity rises, these types of attacks will just keep growing. There should also be some sort of system where it is easy to verify that the maintainer of the package is also the actual developer. Like brave-bin has brave has the maintainer who are also the creator. Just give a green check mark to them or something.
Or maybe don’t use AUR blindly? You’re doing the equivalent of
sudo curl --- | bash. Who knows what the script is doing. So only do it if you truly trust it. That’s why we have warnings plastered all over. That’s also why a warning label and sticker exists. And this is precisely the reason easy no user input AUR helpers are greatly discouragedPlastering warning labels everywhere is a cheap way to shift 100% of the accountability onto the user. Security should be built into the AUR’s design (throttling new accounts, forcing forks for orphaned takeovers or maintainer-developer verification), not outsource your job to the users as a reading assignment before every system update. Humans are the final layer of defense not the first.
There is a massive difference between blindly curling a random script from the open web and using a centralized, organized community repository. Yes AUR helpers are not recommended but they exist and are used by majority of Arch users and you can’t expect the user to know code and pkgbuilds especially when distros like CachyOS make it so damn easy to install the OS with AUR being just a checkbox away.
You said it yourself that it is a community repository. No difference between that and the internet forum. You are putting the burden of accountability on the maintainer that way. Which I would remind you, is unpaid unlike say, github and npm that HAS a financial means to do a lot of security implementation. Yet those platforms still fail to do it.
Also, humans ARE the first layer of defense. Because anything you do on your device (on linux anyway, and specifically arch) is YOUR decision. Antivirus and everything else should kick in when the human fails.
You are normalizing people downloading things off the unvetted internet like on windows. Linux has a vetted repo already. THOSE are what people should be using and I’m fine with if those are being blamed. Everything else is USER due diligence. That is why the existence of easily installing malware like limewire does not justify blaming the platform. Or do you also blame torrenting site when they are chock full of malware?
Fine agree with all of what you say. But still the AUR is the only repo where this happens majority of the times. So what to do next? I am sure the solutions I mentioned in a comment below are not that difficult to implement.
Sure, your proposed solution is a good way to weed out the low hanging fruit. But I don’t like that it may create friction for normal users. AUR was never meant to be a FOSS project on its own with a full time maintainer that maintains PKGBUILD and the infra.
Like I said before, it is more akin to an internet forum and pastebin more than a full fledged package repository. And to be fair, it isn’t a package repo anyway. It’s like a cmake / makefile sharing site. Building and packaging for arch is just that easy compared to say, debian.
If people want to use a repo, there is chaotic aur. Maybe that could be the way too. A dedicated community project to vet the AUR. Or the project maintainer itself could provide a pkgbuild directly on their repo.
Just don’t ever blame the maintainer for providing a place to store something for free and open to anyone. Especially if it is your choice to get something from said place and be surprised that it is malware.
That is the whole purpose of AUR, users can create and share packages with minimum fuss. That does not mean that it is a good idea to run the code of some random guy on your computer.
But open source has always worked like that, by code sharing and collaboration - on tapes, on FTP servers, on Sourceforge or github and today on codeberg. The way the Arch User Repository (this is AUR spelled out) makes this easy is great!
Just don’t run random code that you don’t understand, and cannot reasonably trust.
I don’t understand any code so does that mean I shouldn’t use any software? that is 99% of the world.
This doesn’t take away responsibility away from the Arch team. I can manually review pkgbuilds all day trying to understand no problem but expecting the user to do it every update is stupid. At some point the user will just start to trust that package maintainer. I already mentioned few steps that the Arch team can take in a comment below.
The Arch team is not responsible for this code.
And to add, demanding to do more work from volunteers which already do a lot of work for free is rude. If you want something done - do it yourself.
I am not talking about the code. I am talking there are basically zero security measures.
Edit:
Then don’t make the platforms in the first place. This is such a stupid argument. It’s like someone creating a nuke but then ignoring the security measures and telling the rest of the people to take care of it. Genius. Should stop asking people to switch over to Linux as well then. Might as well I should just start bad mouthing and defaming Linux because users are left on their own by a hostile community.
Not from AUR.
Without the AUR Arch becomes a third world country distro because the official repos have only the basics.
Arch has 17,000 packages and is one of the largest distros. If you want more, you can use Debian, (or maybe NixOS, but you won’t get the same quality).
And what do you need so many packages for?
Zen Browser, Elecwhat (Whatsapp – which is recommended in Arch Wiki), Razer peripherals drivers, heroic games launcher.
“No way to prevent this” says only repository where this regularly happens
I am gonna get a lot of hate for this but the AUR flaws are hidden behind a legal warning of “At your own risk”. They just don’t want to take the legal consequences for this. That’s why there are basically 0 preventive measures for detecting bad actors and preventing malicious attacks.
I can think of some solutions:
yay -Syuone day and getting malware on the system..aurverificationfile, which can be detected by AUR when putting in the upstream repo URL and the maintainer must verify with that captcha every 6 months or so just to prove active development. If they fail to do so, mark the package as abandoned or unverfied.