8

Its so awesome, how easily I can create my own packages in arch.

Comments
  • 3
    Kinda scary too,
  • 2
  • 1
    Well, should it be much more than a list of instructions for how to build the upstream source? Ebuilds in Gentoo are also like that.

    Also @Linux I too would like to know why that's so scary.. I mean it would be if it somehow allowed for people to directly upload malware to the AUR or something like that, but that's really not how the AUR works. An AUR repository only has a PKGBUILD in it (as well as the usual .git stuff of course), which users are expected to review before installation. That includes where the upstream source is fetched from, and what commands are used to build it. Usually the PKGBUILD is a small file, so in about half a minute, one should be able to have a good idea about what's being done in it.

    I don't think that when those requirements are met, there's any real danger lurking in the AUR.
  • 1
    @metamourge @Condor

    That is exactly what I mean - easy to do = much more crappy packages.

    AUR has and is infested with bad packages containing malware. This is a known problem.

    And people are actually not reading the PKGBUILD, the vast majority does simple not. They just install stuff as if it was from a trusted and verified source.

    Well, with that being said - enabling AUR should be more complicated and come with a big FAT warning about that people should verify the packages and the sources. But people would still not care.
  • 2
    @Linux any examples of malware packages? Considering that it's infested with malware, I find it very odd that I still haven't found anything of the likes in it.
  • 2
    @Condor
    There was a case in July, where packages by "xeactor" installed a script, which will gather information of your system and send it to a remote-host.
  • 1
    @metamourge yeah, I've read some articles on that just now, as I started digging for AUR malware as well (maybe I'm wrong?). But that's the thing.. package takeover, yes that can happen (although it shouldn't be possible IMO, or at least not without background checking or notification to the users of said package), but it's easy to deflect by actually reading the PKGBUILD. Just like one shouldn't blindly trust a curl someshadysite.ru/install.sh | bash - type of deal, the same goes for a PKGBUILD. AUR managers should expose the PKGBUILD and whatever changed in an update a lot more. Pacaur for example does offer you to view the PKGBUILD upon installation but not during upgrades, which it really should.. and yaourt doesn't do it at all, which is really problematic. But does that mean that the AUR is infested with malware? I don't think so. I mean, 3 packages in a scope of what, tens of thousands of packages? That's like saying that BSD is really insecure because they've had a handful of security issues over the course of several decades. And not only that, it's really easy to spot malicious changes in PKGBUILDs. If only AUR users actually did...
  • 3
    @Condor
    Yep, I think the biggest problem here is the user, probably mostly people who are either new to arch, or script-kiddis that just want to show off.

    I use packer for AUR and it offers me to view and edit PKGBUILDs and .install-script before installing.
Add Comment