Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Packages

Posted by qwertox 5 hours ago

Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Packages(www.phoronix.com)

163 points | 69 commentspage 2

Havoc 4 hours ago|

As I undertood it this was mostly orphaned packages?

Shank 4 hours ago||

That's correct, orphaned packages could be adopted seemingly automatically, so someone did and then published malware in bulk.

beej71 1 hour ago||

This makes me want to adopt more packages. Lots of the orphans barely need updating.

gbin 3 hours ago|||

Yes and honestly super kudos to paru's creator for the nagging warning about installed orphan packages that made me remove them immediately.

So with a dozen of various systems running arch/cachyos for various purposes, 0 impact.

We seriously dodged a bullet though, should we have some kind of AI spotting shady activity before it hits the userbase?

ajross 3 hours ago||

Not even "packages" in the distro sense. You can't use software installed with Arch to install this stuff via any path that isn't isomorphic to rebuilding the package yourself.

This was the AUR repository, which is the community-maintained soup of non-distro packages. They're packaged using the same tools and technology, with the intent that they can be easily validated and promoted to core stuff in the future. But they aren't really "Arch Linux". You need to deliberately enable and install tools to pull stuff from it.

Think of this as Steam or Chrome. You can install those on Arch, and people do, but if Chrome extensions or Steam games suffer an incident like this you don't blame the distro.

cge 1 hour ago||

> They're packaged using the same tools and technology, with the intent that they can be easily validated and promoted to core stuff in the future.

That's perhaps the intent ideally, but in practice, it feels like AUR tends to be (a) niche, esoteric things that will never be anywhere outside of AUR, even if they could, or (b) installation methods for proprietary/otherwise non-open packages that can't be.

The latter seems to a major popular use of AUR: sorting packages by popularity or votes comes up with lists that seem to be mostly these. And that's likely a significant draw for non-technical users. If you want to install things like Dropbox, Chrome, VS Code, Minecraft, Zoom, Slack... they all show up in AUR. By their nature (usually extracting packages from upstream installation methods), they tend to be more complicated than generic AUR packages. They are also often quite a bit more convenient than using the upstream packages, which might not interface well with Archlinux, might only be available with installation methods that clobber things, might be deb/rpm only, etc.

I wonder if it would make sense to have a more trusted/vetted repository of these sorts of scripts, separate from core repositories but also not as free-for-all as AUR. That might go a long way toward keeping non-technical users from being drawn to AUR.

shevy-java 3 hours ago||

While this makes Arch Linux look bad right now, I recall how many years ago Gentoo was leading the pack with regards to having many clever people on board. Then came Arch Linux and eventually it put Gentoo as a second tier distribution. Arch has a lot of momentum; I myself am using Manjaro right now, primarily because it makes many things - including compiling from source - simple. As simple as Slackware, before Slackware fossilized (it's still alive of course, but just look at the most recent ISO release, then you'll understand the problem; when a distribution is no longer able to release .iso files, then it is in my book dead).

BoingBoomTschak 1 hour ago|

Arch has always been script kiddie tier compared to Gentoo lol.

w4yai 3 hours ago||

"linux has no malware, windows bad boooh"

dist-epoch 2 hours ago|

"linux has a central package manager with every app that you need, so you don't need to install random apps from random websites like on windows"

rvz 3 hours ago||

Who's on Arch Linux btw?

new_usemame 4 hours ago||

[flagged]

tryauuum 4 hours ago|

How bad was it?

graemep 4 hours ago|

1,500 packages out of 107,000 so pretty bad, ameliorated by only affecting installs of those in a window of a few days.

AUR comes with a warning that its up to you to check what you install from there.

__s 4 hours ago|||

I was concerned at headline, then saw "oh just AUR"

Next up, "millions of malicious packages still not taken down on internet"

maxerickson 4 hours ago|||

I wonder what typical AUR usage looks like. I apparently have 27 packages installed and last updated one in November.

TomK32 3 hours ago||

There's more than one way but this lists packages not installed by pacman itself:

    pacman -Qm

Only 237 on my 12 year old system but I rarely update AUR packages and usually try to remove unused ones before updating.