Linux

12455 readers

149 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

New Rust Tool Traur Analyzes Arch AUR Packages for Hidden Risks (linuxiac.com)

submitted 2 weeks ago by cm0002@europe.pub to c/linux@programming.dev

3 comments fedilink hide all child comments

A new open-source tool, traur, written in Rust, has emerged for Arch users, aiming to improve security awareness in Arch Linux’s user-maintained software ecosystem by introducing automated trust scoring for AUR packages.

Traur analyzes installed or selected AUR packages and issues risk signals based on their build scripts, metadata, and past behavior. The main goal is to bring benefit to the Arch community by helping users decide how much to trust an AUR package before installing or updating it, all without running any code. And I can say that this is especially useful after several AUR packages were compromised last year.

you are viewing a single comment's thread
view the rest of the comments

[+] nimble@lemmy.blahaj.zone 15 points 2 weeks ago (2 children)

[deleted]

[–] BB_C@programming.dev 5 points 1 week ago* (last edited 1 week ago)

It's laughable before you even get to the code. You know, doing "eval bad" when all the build scripts are written in bash 🤣

There is also no protection for VCS sources (assuming no revision hash is specified) in makepkg (no "locking" with content hash stored). So, if an AUR package maintainer is malicious, they can push whatever they want from the source side. They actually can do that in any case obviously. But with VCS sources, they can do it at any moment transparently. In other words, your primary concern should be knowing the sources are coming from a trustable upstream (and hoping no xz-like fiasco is taking place). Checking if the PLGBUILD/install files are not fishy is the easier part (and should be done by a human). And if you're using AUR packages to the extent where this is somehow a daunting time-consuming task, then there is something wrong with you in any case.

Edit: That is not to say the author of the tool wouldn't just fit right in with security theater crowd. Hell, some of them even created whole businesses using not too dissimilar theater components.

@kadu@scribe.disroot.org

[–] kadu@scribe.disroot.org 4 points 1 week ago

Oh yikes, yeah, not touching this one