Arch Linux Cracks Down on Malicious Commits in User Repository

Malicious hackers have launched a massive assault on the Arch User Repository, compromising over 1,500 user-submitted packages and forcing the Arch Linux team to temporarily halt new account signups to contain the damage. The attack has been mitigated, but not before highlighting the vulnerability of community-run package repositories.

https://osintsights.com/arch-linux-cracks-down-on-malicious-commits-in-user-repository?utm_source=mastodon&utm_medium=social

#ArchLinux #ArchUserRepository #Aur #MaliciousCommits #PackageCompromise

OMG, every article about malware in #ArchUserRepository ends with something like "why don't they shut down the repository until all packages are checked?".
That's misunderstanding of what AUR is. Arch offical packages are more curated and actually not affected. Only the user repo is. AUR is like a package forum, where everyone can create and share a package. No authority is curating it closely.
It's like saying "why don't they shut down the arch forum until every mentioned bash command is checked" after somebody breaks their installation by blindly running an evil command like the favourite rm -rf / (don't run this).

And I am not saying, that the attack is fine, and AUR is good tool. I think there should be some kind of maintainer reputation system added and package reputation system improved.

Ce este Arch User Repository (AUR)?

https://comunitatealinux.ro/ce-este-arch-user-repository-aur/

I didn't know what I was getting into, but 6 hours in, I am building and compiling Brave using Paru, an Arch User Repository (AUR) helper.

It appears for AUR packages that the `-bin` prefix is for compiled binaries. These will save you a lot of time. I've been warned that Chromium based browsers take days to compile, but I'm compelled to the challenge.

Continuing to compile as I use a backup browser.

#bravebrowser #chromium #paru #archlinux #archuserrepository #compile