• pbsds@lemmy.ml
    31·
    3 hours ago

    Comparing the AUR to nixpkgs is like comparing the NUR and random flakes to the main Arch repositories.

    Had the AUR been prefixing the package names with the maintainer name like the NUR does, then it would not be possible to do the orphan adoption attack at the same scale. (Instead a bunch of duplicates with higher version numbers would pop up, prompting users to switch)

      • Ooops@feddit.org
        4·
        2 hours ago

        Well… People finding and disclosing security flaws are often much closer to hackers than what happened with the AUR.

        Calling people adopting outdated and orphanded packages hackers is like calling the guy that finds a banknote on the ground a bankrobber.

  • RustyNova@lemmy.world
    1421·
    17 hours ago

    As a nix user, I wouldn’t laugh. We are vulnerable to this type of attack as well.

    Heck, it’s surprising we aren’t full of malware considering how many packages there are, and an easy supply chain attack vector with auto RyanTM PRs.

    • Kronusdark@lemmy.worldEnglish
      30·
      17 hours ago

      Yea. especially if you use flakes heavily. It’s so decentralized it could take longer to catch.

    • juipeltje@lemmy.world
      12·
      17 hours ago

      It’s possible, but at the very least someone glances over the derivation since it’s part of the actual nixpkgs repo right? AUR on the other hand is a wild west.

      • kevincox@lemmy.ml
        4·
        11 hours ago

        Yes, on one hand every commit to nixpkgs needs review (to some degree) on the other hand there are far too many committers to nixpkgs.

        There are also gaps such as the bots to auto-merge packages with maintainer approval, so a simple attack looks like this:

        1. Submit a package with you as a maintainer.
        2. Create a new GitHub account and send a malicious update to that package.
        3. Use a bot to merge with maintainer approval.

        So nixpkgs is better than the AUR, but it isn’t great and unlike Arch has no separate official repos.

      • RustyNova@lemmy.world
        13·
        16 hours ago

        Yeah if the url is https://i_hack.you/ yeah that will be easy to spot. But imagine an attacker just to a “patch update”, updating the url and hash to the malicious repository, and use a typo squatted domain/repository, that will make it harder to spot.

        • moonpiedumplings@programming.dev
          11·
          15 hours ago

          No, it would actually be quite easy to spot.

          Nixpkgs templates the source code url fro the url, and then it injects a variable

          Here is an example from bash:

          pname = "bash${lib.optionalString interactive "-interactive"}";
    version = "5.3${fa.patch_suffix}";
    patch_suffix = "p${toString (builtins.length upstreamPatches)}";

    src = fetchurl {
      url = "mirror://gnu/bash/bash-$%7Blib.removeSuffix fa.patch_suffix fa.version}.tar.gz";
      hash = "sha256-DVzYaWX4aaJs9k9Lcb57lvkKO6iz104n6OnZ1VUPMbo=";
    };

          If the url were to be changed, it would show up as a change in git when someone is reviewing before merging.

    • danhab99@programming.devOP
      215·
      17 hours ago

      I don’t see how it would happen. Nix is immune bc hashes are constantly checked, you can’t swap in malicious code without a person noticing bc it might throw a mismatched hash error. Also nixpkgs has been really good about vetting packages, I don’t expect them to look too closely into the source codes of everything but if something malicious were to happen like what is happening to AUR someone would see it way faster

      • RustyNova@lemmy.world
        23·
        16 hours ago

        The AUR attack attacked the build files. On nix, you could easily set a new download url for the package, set the new hash, and claim the project has moved to a new repo/site.

        That would require a second person to vet on it, but it could be seen as normal for a maintainer not in the know about the project.

        New packages are harder to pass, but it could also work.

  • sudoMakeUser@sh.itjust.works
    54·
    17 hours ago

    I remember when, I think it was either a log4j or CUPS malware attack, Debian remained unaffected because the packages in its repos was too old.

  • [object Object]@lemmy.ca
    39·
    17 hours ago

    AUR: it happened to me, and one day it will happen to you!

    This is still the shai hulud worm.

    There’s no reason nixpkgs hasn’t been hacked yet. It jest depends on a few devs credentials being stolen, either by vscode, an npm package, a pypi dep, etc.

  • Scipitie@lemmy.dbzer0.com
    213·
    17 hours ago

    Running both … Nixpkgs will rightfully laugh about this - in about a month once they caught up on recent events.

    Loving both arch and nixos though!

    • Something Burger 🍔@jlai.lu
      3·
      12 hours ago

      They’re already laughing in master, it will be merged to stable right after the current stable branch is fixed because half of packages fail to build (again).

  • mlg@lemmy.worldEnglish
    91·
    15 hours ago

    COPR: “You guys are actually sharing your packages with other people?”

      • bryndos@fedia.io
        1·
        3 hours ago

        Can you add aur to pacman?

        I didn’t think you could, but TBH I only use arch on the side ( or by the way , if you will) mostly debian. I dunno i’d want to put aur into pacman even if i knew how.