Now's our chance, it's time for a hostile takeover from my fellow "i use nix btw"s!
this post was submitted on 14 Jun 2026
149 points (95.7% liked)
Linux
65827 readers
1157 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 7 years ago
MODERATORS
I am actually enjoying most of it, yeah.
What an annoyingly uninformative title. Better title: a lot more compromised AUR packages have been found since our last update.
"A lot worse" is intentionally vague to get people to click.
Vagueposting clickbait? On the internet!? For views and clicks!?! The website is AIDS it's so full of ads!?
At least some level of human review is going to be needed.
So... completely negating the point of a User Repository??? Introduce some kind of authoritative oversight, and it's essentially just another regular repository, erasing all the benefits of the AUR. The whole point of the distro slapping a huge disclaimer of "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk." at the top of the homepage is because these kind of compromises are the trade-off one makes
Anyone can publish his PKGBUILD script on their codeberg or github page.
I think I'd be satisfied with just not allowing people to take over orphaned packages. That seems like a glaring attack vector and closing it would not harm the AUR in any way.
And yea, arch (and its derivatives) probably should not ship with AUR helpers pre-installed.
arch doesn't ship an aur helper pre installed. It's the derivates leeching the arch aur infrastructure and preinstalling aur helpers suggesting it's safe to use as is
It’s the derivates leeching the arch aur infrastructure and preinstalling aur helpers suggesting it’s safe to use as is.
So, Arch users do not depend on AUR? If so, that's easy to fix. Just delete any mention of AUR from the Arch wiki.
The Arch Wiki describes the AUR in plain terms: it's a user-submitted community repository of software, not warranted to be safe or even vetted by Arch maintainers, packaged to be friendly with pacman.
If you're doing things the "Arch way" the differences between the AUR and officially supported packages should be obvious, and you should at the very least skim the PKGBUILD files to understand where things are coming from and how they work.
Me, a Debian user, watching that shitshow 😎
Me, a NixOS user, watching some folks fighting over a bunch of legacy distros 😎😎😎
Whoa, this is blowing up. Chill, guys. I really think that sucks. If anything, with Arch being bleeding edge and all of that, at least you're showing early the tough wake up the other distros will have to do in relation to malware after Linux' increasing popularity. Time to brush those SELinux and apparmor bits, even.
But, now, we Debian users are okay, (btw, 😎).
Debian users should receive their news 6-12 months after everyone else, change my mind
/s
Some people likes tested and stable software. It's weird.
Don't forget that all the Arch users are doing a good part of that testing, too. Arch is a boon to Linux in general.
Out of date and stable software you mean.
Honestly, not even stable. Just arbitrarily frozen. Oftentimes with later releases having bugfixes that the user won't see for another few years.
Did you try TeX 3.14792 ?
That's optimistically quick
Sincerely,
A Debian user
Should? Don't you mean already do?
Upside to Debian! Never have to worry about shit like this. Downside to Debian, you have to use Debian.
More like: Upside to Debian, you never have to worry about the latest malware and bugs! Downside to Debian, you have to use yesterday's everything…
load more comments
(2 replies)
Nothing says "socialist vibes" like gloating over other Linux users
Using Linux is not a dick measuring contest (and man I hate these threads asking "why is your distro the best?" - it feels like trolling and sowing division and grief to me. A bit like asking a mother "What is your favorite child?".)
But apart from that, I think we can all agree that security of AUR packages is no good enough, and that this deficit is by design.
load more comments
(1 replies)
Huh, you really feel schadenfreude over another reputable project being hit by/having to deal with malware? And all the people who might be affected by it?
That is not something that would ever cross my mind.
load more comments
(2 replies)
TLDR: Open package repositories without some approval and oversight system, like AUR, will have even more problems in the future due to advanced coding AI and malicious ~~foreign~~ hackers.
Edit: Please normalize TLDR's on bot posts with just a link.
Edit 2: I have been rightfully informed that this is not a bot post. I still think links should not be posted without a tiny abstract, one might say: a TLDR.
I have also been informed that the text does not spell out "foreign". This is correct. The text does say
Not all of the packaging issues are as bad as the initial wave of trying to steal credentials, some are just adding ridiculous messages in Russian.
This implies but does not establish the nationality of attackers. While Arch has contributors from all over the world, it is commonly cited as being a Canadian distribution (example, see below). https://distrowatch.com/table-mobile.php?distribution=arch
"Foreign hackers"
Foreign to who?
The article never said "foreign", you made that up.
load more comments
(1 replies)
I remember the good ole days when nobody cared enough about Linux to spread malware to it. Sigh. All these techbros that need to j their d to their power trips, dystopian surveillance, and shitty AI companies have probably started this. I even noticed a Linux hate sub on Lemmy. Imagine there being enough people forced to use Linux to create a hate community where they favor Microslop. Such strange times we live in.
load more comments
(1 replies)
load more comments
(5 replies)
AUR has never been a good idea. I don't use it and this news proved me right.
Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.
Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that's why I stick to my official distro packages (and sometimes also some flatpak but from official sources)
It's just a repository of user-contributed packages. It's no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that's on you. It's basic internet safety to not automatically trust random scripts you find on the internet.
I never said that GitHub was better. I just don't feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.
Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don't understand the risk or let's say responsabilities it involves while installing packages from that source.
I agree about the risks in terms of the way some sources present the AUR as just extra packages. But I don't think you can object to the AUR more than any other place on the internet where anyone can upload software; unfortunately, the onus is going to be on the user to verify what they install. The AUR is moderated by volunteers and it wouldn't be fair to expect them to vet all of the high volume of commits to the AUR. Possibly they could vet new maintainers or new packages or newly adopted packages, but nothing would stop someone from initially uploading a genuine package and then replacing it with something malicious. Or they could require identity verification to be an AUR maintainer but then far fewer genuine packages would be on there because people don't want to give their real identity to contribute (I maintain some AUR packages, and would stop if required to verify my IRL identity).
I can totally understand if the AUR is not for you; it's more time-consuming as you have to read PKGBUILDs (I always do). But that doesn't make it bad that it exists at all. I think there should be more warnings about it for new users, and possibly some more moderation, though like I said above there's no perfect moderation solution that would simultaneously forgo users' responsibility to check and keep the AUR as large as it is today. Ultimately the option should still exist for users who want it. If it didn't exist, I'd have to hand-package every program that's not in the official repos, and that's even more time-consuming than pulling and reading through a PKGBUILD that someone else already wrote and shared.
I never said that GitHub was better.
It is arguably harder to take over a package from github or Codeberg.
You could also serve your PKGBUILD from a Gemini server (the Gemini small-web protocol, not the Google AI which is really easy to administer and secure), and sign it with a PGP key. That would be about as secure without depending on a huge US American company.
AUR has never been a good idea. I don’t use it and this news proved me right.
But is Arch sufficiently complete without AUR packages? It is being criticized - and rightly so - that the magnificient Arch Wiki is full of references to AUR packages. That could in fact mislead new users.
I am an happy Arch user, since about ten years... But I use it differently. I am running Debian stable on the hardware, which has all the drivers I need (after getting rid of NVidia graphics, which was just a mistake to buy). I use Debian for my work / office / productivity system, to read email, and so on.
But for some stuff, I need newer software: For trying out new features or libraries (I am a developer). For testing out new window managers. Leisure programming. And so on. I use Arch for this. After a few years of dual booting (which caused occasional breakage), I settled on running Arch in a VM. Which works fine for me.
And the last shift I am experiencing is that I use more and more the Guix package manager. The reason for this is that when one tries out a lot of things, and does only system upgrades for many years, the system becomes a bit untidy. Old packages, scripts, and configurations accumulate, and it is hard to get rid of it without breaking things. And there is so much stuff in software that, after all, turns out to be not such a good idea. Yes, a fresh OS install leaves a tidy system, but it would cost a few days. (By the way, accumulating cruft in the long term is also somewhat of an disadvantage of rolling release distros.)
Now, Guix solves that, because I have a temporary, deterministic environment for every programming project (just like a Python venv). And by this way, stuff does not contaminate the base system, and is garbage collected when it is not used any more.
And, Guix has quite recent packages, similar to Arch.
Now I use Arch less and less.
Is Guix the GNU approach to NixOS?
So if nixos is the new I use arch btw is guix the new I use nixos btw?
Lol
Nah, Guix is dead simple to use. I even trained my pet octopus to build Guix packages after it got bored with the underwater piano :)
Yes! And everything is based on hashed source code - this guarantees long-term reproducibility, avoids vendor-lock-in with proprietary binaries and drivers (and that's why some companies hate it), but above all makes much easier to inspect what is in a package.
Interesting, unfortunately I still rely on proprietary binaries but I could try it on a secondary device. Reproducibility is one of the reason I chose to learn NixOS.
Yeah you can go with Nix then.
But it is not by chance that Linux is based on Open Source hardeare support. The alternative is something like MacOS.
load more comments
(2 replies)
load more comments
(1 replies)
The command pacman -Qm will display every package from the AUR on your system. You can then search the list of compromised packages.
load more comments
(21 replies)
view more: next ›