• Siegfried@lemmy.world
      4·
      7 days ago

      Did clamav work with AUR affected packages? Sorry if the question is idiotic, cause im ignorant when it comes to security

    • Crozekiel@lemmy.zipEnglish
      2·
      6 days ago

      I am really curious about this. If someone had ClamAV and updated any of these packages from the AUR during the attack, would ClamAV have “solved” that problem? I would love to know the effectiveness of that.

  • HisAssholiness@lemmy.ml
    151·
    7 days ago

    Arch users just randomly dropping “I use Arch btw” everywhere, it was only a matter of time.

      • pressanykeynow@lemmy.world
        22·
        7 days ago

        But your brain should be the best antivirus you have.

        Is there an AUR package for it? seems not in the official repo

      • placebo@lemmy.zipEnglish
        9·
        7 days ago

        But your brain should be the best antivirus you have.

        It’s useful to use brain, but any security layer has holes which is why it’s good to have several layers. Some attacks might be way beyond user’s understanding or come from trusted sources.

      • UnderpantsWeevil@lemmy.worldEnglish
        5·
        7 days ago

        But your brain should be the best antivirus you have.

        True of virtually every OS.

        But “only stupid people get viruses” is exactly the kind of trap that catches folks.

      • AceSLive@lemmy.world
        2·
        7 days ago

        I have eset home but now I’ve gone completely linux, and they don’t do it for home - only business

        Which sucks, as I have a year left on my subscription I can no longer use :/

    • Ghoelian@piefed.socialEnglish
      101·
      7 days ago

      one thread I found from 2 years ago where someone asked for the same thing, a lot of the replies are just “you don’t need antivirus on Linux” lmao

      • CeeBee_Eh@lemmy.world
        23·
        7 days ago

        a lot of the replies are just “you don’t need antivirus on Linux”

        Which is completely true when using distros like Debian, Fedora, RHEL, OpenSuse, etc.

        Arch (and its derivatives) are designed to be on the bleeding edge with ALL the paper cuts that come with it. It is absolutely not focused on stability or security. If you want those things then stick to Debian or Fedora Silverblue.

        And the second you introduce npm to your system you can throw any semblance of security out the window, regardless of what your operating system is, and no antivirus is going to save you.

        That being said, the fundamental security models between Linux and Windows are very different. And on Linux the overall impact will likely be far less damaging (technologically, not financially) than on Windows. Windows “security” is just a corporate marketing campaign.

          • CeeBee_Eh@lemmy.world
            21·
            6 days ago

            npm, yes. Snap and flatpak? No. I’m not saying it’s impossible to get malware. The difference is that snapd and flatpak have various levels of process isolation that largely mitigates any potential issues.

            The argument isn’t “Linux doesn’t have malware”, the argument is “you don’t need to run antivirus on Linux”. Those are two very different things.

            Not even the best antivirus will protect you completely, at that point you need good computer hygiene.

            • Crozekiel@lemmy.zipEnglish
              1·
              5 days ago

              Eh. Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all. I don’t use ubuntu/snapd so can’t speak to that.

              There are more protections on flathub than the AUR for sure - the AUR is closer to just downloading random shit off the internet than a true repository. That said, it’s crazy to assign the vulnerabilities of the AUR to Arch as a whole… The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.

              • CeeBee_Eh@lemmy.world
                2·
                5 days ago

                Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all.

                You’re not wrong, but even with the AUR it’s (last I checked/heard) a problem with orphaned packages being picked up by random users, and then a “new” PKGBUILD with the malicious bits getting uploaded.

                The reality is that even if everyone just blindly updated through yay this whole time, very few people would be affected because the number of orphaned packages installed is very low. The package managers tend to bug you about orphaned packages.

                The difference with Flatpaks and the Snap Store is that you can’t just take ownership over an abandoned project. You’d have to create your own. And since Canonical is in charge of the Snap Store, they’re quick to react to any sort of security issue.

                the AUR is closer to just downloading random shit off the internet than a true repository

                Ultimately that is what it is. Because some packages are grabbing files from just about anywhere.

                The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.

                And that’s really the key. The AUR is bleeding edge with “here be dragons” philosophy. Like I said in my previous comment, if you can’t accept those dangerous (work computer, sensitive data, etc) then simply don’t use Arch.

  • gerryflap@feddit.nl
    10·
    7 days ago

    I learnt a lesson yeah. It looks like I got away, there’s no rootkit, I found nothing weird running, I don’t have npm Installed, and up until now it doesn’t seem like the packages I had installed were compromised. But I had way more AUR packages installed than I was aware of. And I was just updating them without really caring about the pkgbuild, I have better things to do. Multiple packages were outdated crap that shouldn’t have been there anymore.

    I was careless and took too much risk. I reduced the Installed AUR packages to a minimum, and from now on I will verify the PKGBUILDs on every update. Maybe Arch isn’t really what I need. I’m on the LTS kernel and I no longer really use the AUR. But switching will be a huge hassle and this setup will work well from here on out, so I’ll stick to it for now

    • prole@sh.itjust.worksEnglish
      31·
      7 days ago

      I’ve been using Bazzite for a couple of years now and it’s great. Almost boring how stable it is.

      And I access the AUR with an Arch distrobox if I need to

      • Crozekiel@lemmy.zipEnglish
        4·
        6 days ago

        errr… just FYI, if you have AUR packages through distrobox, you are basically just as vulnerable as someone running vanilla arch. You checked if you have anything form the AUR on the nearly 2k (last I checked) package list?

    • helpImTrappedOnline@lemmy.world
      4·
      6 days ago

      Well that’s fun. Odd someone named Campbell asking was for a tomato soup recipe, you’d think that would just be built into their bloodline or something.

      While I’m glad no JS package managers were hurt to make the soup, I do wish the recipe didn’t waste so much water.

    • magnolia_mayhem@lemmy.world
      2·
      6 days ago

      Just keep sending requests and use as many tokens as possible. My wife spent 30 minutes on the phone with a bot the other day, just getting it to dump huge sets of instructions to waste tokens.

  • Shanmugha@lemmy.world
    91·
    7 days ago

    I am at “no fucking yays and the bunch, check the package create/update dates, read PKGBUILD, only update when necessary”. Has served me well so far

  • wylinka@szmer.info
    63·
    7 days ago

    Never use things like yay, just read the PKGBUILD and run makepkg. AUR wasn’t meant to be automated. But it’s better to use Flatpak, because it provides sandboxing (not for every app, but it can be reviewed before installation).

    • Kogasa@programming.dev
      9·
      7 days ago

      Using aur helpers is fine if they make it easy to read the pkgbuild, which paru does. It’s too annoying to check for PKGBUILD and upstream/vcs updates for each package individually.

      Ideally the aur helper would point out when 1) a package changed maintainers since your last install, 2) a package’s PKGBUILD itself changed (not just the upstream/vcs source), 3) the PKGBUILD is less than 24h old or so. And for #2, it should also show you the changes similar to what you see on the AUR site’s “view changes” page. I’m not aware of any aur helper that does these things, but hopefully recent events prompt a change.

  • macniel@feddit.org
    1013·
    8 days ago

    Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
    Linux Users: oh no I got malware by searching the AUR!

    • Err(()).unwrap()@lemmy.worldM
      431·
      7 days ago

      The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).

      But if it starts downloading anything from NPM… ^C and run.

      • Lucy :3@feddit.org
        22·
        7 days ago

        The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo

        • CubitOom@infosec.pubEnglish
          81·
          7 days ago

          I’m not entirely sure I agree, I think the issue is with default settings.

          Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that’s pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.

          • bitfucker@programming.dev
            3·
            7 days ago

            Yeah, use and promote aurto instead. They require you to trust the maintainer and would remove the package from the local repo if the maintainer is changed

            • CubitOom@infosec.pubEnglish
              2·
              7 days ago

              I’m not sure if loosing the maintainer is to only thing we should be going off of here, but I like the name.

              • bitfucker@programming.dev
                1·
                7 days ago

                Well, it is just like a distro maintainer account anyway. If the maintainer account is compromised then gg for the whole distro. That’s what happens with other supply chain attacks as well and yes, I do think we need a way to fix that without compromising on ease of usability

                • CubitOom@infosec.pubEnglish
                  1·
                  7 days ago

                  We arnt talking about a distro maintainer, but an aur package maintainer, which can be anyone.

    • Lucy :3@feddit.org
      8·
      7 days ago

      By misusing the AUR and ignoring every warning telling you to read and understand the pkgbuild or don’t do it.

    • placebo@lemmy.zipEnglish
      11·
      7 days ago

      Tbf most major attacks we saw recently are cross-platform thanks to npm. AUR has always been a security risk.

    • Alaknár@sopuli.xyz
      5·
      7 days ago

      Wasn’t that long ago when I was downvoted to oblivion for saying that. Glad to see the community is maturing.