AURpocalypse now: a look at the recent AUR attacks

Posted by jwilk 5 days ago

AURpocalypse now: a look at the recent AUR attacks(lwn.net)

134 points | 101 commentspage 2

jzer0cool 2 days ago|

What is a good review? Or different tiers of review? When thinking about packages, say in npm world, I still wonder about trust within nested dependencies. New users might also be unfamiliar. Any thoughts or any guidances?

mentalgear 4 days ago||

The funny thing is: with FOSS you know what's going on attack-wise as they are transparent , but there must be huge upheaval in the closed source (e.g. MS) software that is just kept quiet by stock-price-chasing executives.

diogenes_atx 4 days ago||

There are automated scripts to check if the infected AUR packages are installed on your system:

https://forum.endeavouros.com/t/malicious-aur-checkup-script...

https://github.com/lenucksi/aur-malware-check

AquaWeasel 5 days ago||

Despite that official Arch repos weren't affected in this attack, I would not recommend using Arch (or any rolling release distro) for anything that requires security. (Imagine if the xz backdoor targeted Arch...)

An Arch maintainer that I personally know once admitted that he rarely review upstream changes when bumping package versions. He only does that when the build breaks.

I can't blame him for what he did, since it's not reasonable to ask package maintainers to spend all their time on those stuff, especially in this "Age of AI" where more and more software are being aggressively refactored (or rather rewritten) and added more features.

What we can do is choosing a stable distro (like Debian) where packages are more thoroughly reviewed, and apply security practices (such as TOTP, sandboxing browsers and video players, etc.) even though they cause inconvenience.

Ferret7446 5 days ago||

I don't think Arch maintainers are responsible for auditing upstream. They package the upstream only.

ChocolateGod 4 days ago||

If you package software for a distro, you have some responsibility for reviewing what you publish.

If you distribute an update that has malware, that is you publishing malware.

kryptiskt 4 days ago|||

It's a complete fantasy that Debian maintainers do a thorough review of changed packages. It's not a responsibility they have, and it would be impossible anyway (how many packages are there in Debian? How many maintainers are there?).

zbentley 5 days ago|||

> An Arch maintainer that I personally know once admitted that he rarely review upstream changes when bumping package versions.

Cool story bro. Assuming that's common, I have trouble understanding why Arch (non-AUR) is any more at risk than Debian--besides the latter being more popular and having more users/incidental testers, which is a real benefit if that's your goal, but has its own drawbacks (like older and known-vulnerable packages lingering for longer before updated releases are made available).

> it's not reasonable to ask package maintainers to spend all their time on those stuff, especially in this "Age of AI"

Aren't Debian and friends similarly at risk of this as well, then?

> security practices (such as TOTP, sandboxing browsers and video players, etc.)

I'm not sure if those are more or less prevalent on Arch; I know that many IDEs and GUI programs I've installed on Arch ran by default in Flatpaks or similar, and Debian/Ubuntu like Snaps, but I'm honestly not familiar with whether those ecosystems have significant and/or equivalent penetration in different distros.

skjfjnflw 5 days ago||

Debian freezes the package versions on release of each Debian version and then cherry picks critical fixes for the rest of the Debian version's lifecycle. So even if they never review the code (and I don't expect them to), they're less likely to release malware before it's discovered by others.

thewebguyd 5 days ago|||

That model is getting increasingly difficult and labor intensive, unfortunately. More and more upstream are abandoning the old school security advisories. Not many are isolating CVEs or security fixes into distinct patches, the fixes come with a version bump and often accompany new features or other bug fixes.

There's also plenty projects that silently fix security bugs without issuing a CVE or even labelling them. So now the maintainer of that packages has to monitor the commit logs, figure out if a particular bug fix has security implications and then backport it to the older version which is becoming harder and harder over time.

Unless you have a massive team or a big enough army of volunteers, the LTS model is becoming less and less viable over time, you are often safer on rolling release or close to it (something like Fedora's pace is good).

skydhash 5 days ago||

I like the Alpine model where they have a set of packages they maintain via the core team and everything else is in "testing".

akerl_ 5 days ago|||

You get a lower risk of them pulling in a bleeding edge vulnerability, but a higher risk that you'll get stuck with an old bug waiting for the maintainer to pull in a patch. Then there's the risk that in their attempt to cherry pick, they don't actually mitigate the issue (or introduce more issues based on how they diverge from upstream).

There's no silver bullets here.

skydhash 5 days ago|||

> but a higher risk that you'll get stuck with an old bug waiting for the maintainer to pull in a patch. Then there's the risk that in their attempt to cherry pick, they don't actually mitigate the issue

Which is why the whole process is open sourced and you can get easily the source version of a package, edit it and rebuild it.

armada651 5 days ago|||

> There's no silver bullets here.

Because it's a trade-off, just like stability is, they're both software bugs in the end so mitigating them has similar pros and cons.

matheusmoreira 5 days ago|||

Alarming. The whole point of official repositories is they're trusted, since they are maintained by trusted people. If one can't trust maintainers to be responsible, then the official repositories are no different than the AUR.

akerl_ 5 days ago||

> where packages are more thoroughly reviewed

Where are you drawing your conviction that non-rolling-release distro maintainers are doing a more thorough review of upstream changes?

> such as TOTP

What?

DoctorOetker 4 days ago||

there have been multiple package list checkers released, but unclear which ones are trustworthy, I can't immediately find a list from the official channels (through AUR website) to such approved scanners?

stevefan1999 5 days ago||

Well all of those attacks are just supply chain attacks, and it is basically exploiting people's trust. With LLMs, the speed and velocity of pumping out malice raised are now significantly faster.

It is so sad that every goodwill eventually got enshittified as well.

rvz 5 days ago||

Who still uses Arch btw after this?

rcxdude 5 days ago||

The AUR has consistently had warnings around it of 'verify the PKGBUILD', far more so than any other package repository that allows anyone to sign up. Probably the only notable difference is the ease of taking over an orphaned package.

zbentley 5 days ago|||

The AUR is not the Arch package manager or repository. The main Arch package repos are managed similarly to Debian, or Fedora, or whatever--caveat Arch's nature as a rolling release, but in terms of vetting and ownership/security, the approaches are similar. pacman installs from regular, real, vetted repositories by default. pacman will never install from the AUR. pacman is the official Arch package manager and the only one that is provided with the main Arch distribution/install instructions.

The AUR is, as many others have pointed out, a deliberately un-vetted pile of random Git repos. Arch deliberately doesn't even ship with a default one-click installer for AUR packages; their published guidance is "git clone this stuff from wherever it's hosted and build it at your own risk". Plenty of third-party, non-Arch-blessed tools turn that into a one-click process, but it's not "part" of Arch itself--at least not any more than, like, curl | bash or directions on how to add rando websites to /etc/apt/sources.list.d is part of Debian and friends.

I've used Arch as a daily driver for years. At peak, I've had five (5) total packages, with no transitives, installed from the AUR. Today I have one: sublime-text-4. It's perfectly possible--and extremely reasonable for many users, even power users--to live in an AUR-less world, or to use so few AUR packages that the guidance of "read what you're installing, doofus" is manageable and not onerous.

anagram666 5 days ago|||

If you want something from the AUR, just don't be lazy, read the pkgbuild.

QuaternionsBhop 5 days ago|||

I was not affected

akerl_ 5 days ago|||

Is there another distro that has an equivalent of the AUR with handling you think is preferable?

orbital-decay 5 days ago|||

AUR is fast and loose and doesn't do much "handling" by design, so it's hard to find any equivalent repo. But there's always a tradeoff between fresh (nixpkgs unstable, might be the closest) and tested (Debian).

akerl_ 5 days ago||

AUR isn't just the testing repo of Arch; it's explicitly just an open spot where anybody can put up "here's a PKGBUILD for folks". I don't see how it's like either the Nix or Debian examples.

orbital-decay 5 days ago||

Well, Nix has NUR which is a direct equivalent but it's not nearly as broadly used and I assume "here's a PKGBUILD for folks" is already too permissive for you if you're asking.

There's no maintainer vetting process in nixpkgs as far as I know, anyone can own a bunch of packages. There are quality standards and it's not "here's a bunch of nix code for folks" but it's the next possible thing in the line after that.

akerl_ 5 days ago|||

It seems like you may have mistakenly inferred that I have issues with the AUR?

I don't; I use Arch on 100% of my personal servers, have done so for something approaching 20 years, and don't see myself changing.

But I treat the AUR for what it is: a place where anybody can say "here's a PKGBUILD for folks" and it's on me to evaluate it on its merits.

I was legitimately asking the person upthread what other distro they felt had a better model for this kind of sharing, because they seemed to think this was a reason for Arch users to jump ship and I was curious what they thought would be the elements of a better system.

isityettime 5 days ago|||

The NUR was sort of convenient before flakes were a thing, but now that there's a really common convention for sharing Nix code few use it. I bet most people who came across Nix in the last 4 years have never even heard of it.

einsteinx2 4 days ago||||

No because there’s no way to handle an open submission repository at all. It’s impossible by design since anyone can submit packages to it.

I would never use anything equivalent to AUR on any distro due to the obvious security implications. That’s been my position for as long as I have known about Arch. I never understood Arch users using the AUR as a selling point for the distro.

Then again I live in the opposite end of the spectrum where I run only Debian Stable on my Linux desktop as well as my servers, where packages make it through Sid and Testing before getting to Stable and I can be relatively sure any supply chain attacks have been caught by then (like xz for example which was caught before it left Sid).

For those unfamiliar with Debian, Sid is basically a rolling release similar to using Arch with the official repositories (which is already dangerous without even touching the AUR), then packages move to Testing, then later eventually make it to Stable.

akerl_ 4 days ago||

The AUR is, in my opinion, a pretty convenient selling point if you use any esoteric software.

It’s basically like a crowdsourced set of people’s tips and tricks for installing stuff on Arch, all written in the format Arch uses for packages.

Similar to how I’d not blindly take code from an AI and whack it into production, I wouldn’t blindly take an AUR PKGBUILD and execute it. But it’s nice to have a place to go see “huh, I wonder if anybody has shared their approach so I can borrow from it”.

einsteinx2 4 days ago||

That’s a perspective on the AUR that I hadn’t really seen before from Arch advocates, in my (admittedly hazy memory) it’s usually mentioned in the sense of “Arch is great because you always get the latest packages in the official repos and basically anything you possibly need you can just install from the AUR”. If you’re actually using it just as a reference guide essentially then it seems like there’s some value there.

However, I’ll push back a bit from my perspective as a Debian Stable user. I would consider even the official Arch repositories to be dangerous just like I consider Debian Sid’s repos to be dangerous (packages are too new and not sufficiently vetted). Then regarding installing packages not available in the main Debian repos, I’ve never really had any issues installing them either as there is always either an official developer run apt repo I can add, or an official deb package, or it just builds directly from official source without tweaks. So I’ve honestly never felt like I was missing “a crowdsourced set of people’s tips and tricks for installing stuff” on Debian as I’ve just never needed one.

I do realize that installing the latest packages directly from a developer’s repo or latest deb package or source is as dangerous as the Debian Sid or Arch official repos for the same reason (too new, not vetted), but the difference is those are only a tiny portion of the packages installed on my system (like a percent of a percent, maybe a half dozen packages out of hundreds). If I ran Sid or Arch, it would be 100% of the packages on my system which is an attack surface orders of magnitude larger.

EDIT: It did just occur to me after posting this reply that I use Homebrew pretty extensively as a package manager on macOS and its official repos are equivalent to Sid/Arch official repos, so I may be a bit of a hypocrite here :P

akerl_ 4 days ago||

There are also dangers of being on older versions in Debian that rely on maintainers identifying and correctly back porting critical changes.

Fwiw the Arch docs are pretty clear that the AUR is a Wild West and that you should be vetting anything you find there before you run it.

dizhn 5 days ago||||

Opensuse OBS. Tiny bit better because the build environment doesn't allow a network and binaries are not allowed as far as I know. Fedora has a similar thing COPR. Both of these support building packages for other distros as well as appimage, flatpak etc.

With opensuse official packages also use the same infrastructure. It is actually quite fascinating and powerful. (I know a lot less about COPR but I would imagine it would be equally as good. Wezterm switched to that for its packages)

guilhas 5 days ago||||

Gentoo

But let's hope we get this solved, like peer review model, vouch, or something

It is very good to be able to find build/install files for everything

akerl_ 5 days ago||

Gentoo's model appears to be basically the same? Like the AUR, anybody can submit basically anything they want. The requirements amount to containing valid packages, having a bugzilla account, and putting your package definitions in VCS somewhere.

butterknife 5 days ago||

In overlays that need to be explicitly enabled. Not as convenient as yay yolo.

We can also add npm to package.mask.

akerl_ 4 days ago|||

Yay isn’t in the official arch repos? The only way you get stuff from the AUR is by explicitly pulling down to repo and building with makepkg or explicitly finding and installing an AUR “helper”.

BoingBoomTschak 4 days ago|||

https://wiki.gentoo.org/wiki/Project:GURU

tormeh 4 days ago||||

Windows where you just download .exe and .msi files from random websites. Not a Linux distro, but the closest security model I can think of.

akerl_ 3 days ago||

You think that users having to find and download software from the Internet at large is both similar to the AUR model and has preferable handling of these issues?

Can you elaborate?

tormeh 3 days ago||

To me, installing software from the AUR sounds a lot like downloading Windows software from .info sites and torrents. It's mostly fine, but it's not exactly a surprise when things go wrong.

dokyun 5 days ago|||

SlackBuilds.org is pretty sensible.

beej71 5 days ago|||

I do. I just keep reading the diffs on the PLGBUILDs.

segfalt_ 5 days ago|||

I do, I'm just choosy about aur packages I use

giancarlostoro 5 days ago||

I still do, I just don't touch AURs anymore.

orf 5 days ago||

> New user registration was stopped on June 11 and then re-enabled after the project added Anubis to try to foil the attacker's mass account registrations. That did not work

This confuses me - why would a proof-of-work anti-scraping system like Anubis prevent registrations?

lemagedurage 5 days ago|

Implementing a bot to do registration is not a "copy as curl " click away anymore, and creating millions of accounts maybe become computationally expensive.

This is not much, but it could deter some low effort adversaries.

orf 5 days ago||

I see that, but the adversary wasn’t a low effort one, and didn’t need millions of accounts.

MintPaw 5 days ago|

A side note, isn't package maintenance something that can actually be solved to some extent by LLMs? The prompt would be something like "Clone this repo and build this package while building/bundling as few other packages as possible with minimal code changes."

Then set it in a loop on all the packages for a particular system, I don't have experience in package maintenance and would be curious what kind of issues would come up.

isityettime 5 days ago||

Packaging for Linux distros is about review, following standards and conventions, authority, and responsibility. (And maybe also sometimes patching for compatibility.) LLMs can sometimes help with some of the mechanical parts, but the curation and trust stuff not so much.

OJFord 5 days ago||

And everyone does this individually you mean, rather than sharing the result as 'a package'?

It's an interesting idea, not sure I'd recommend it broadly, but if someone told me they prefer to trust an LLM than third-parties I'd get it at least.