this post was submitted on 14 Jun 2026
170 points (95.2% liked)

Linux

66342 readers
307 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] tired_fedora@lemmy.ml 94 points 3 weeks ago* (last edited 3 weeks ago) (4 children)

TLDR: Open package repositories without some approval and oversight system, like AUR, will have even more problems in the future due to advanced coding AI and malicious ~~foreign~~ hackers.

Edit: Please normalize TLDR's on bot posts with just a link.

Edit 2: I have been rightfully informed that this is not a bot post. I still think links should not be posted without a tiny abstract, one might say: a TLDR.

I have also been informed that the text does not spell out "foreign". This is correct. The text does say

Not all of the packaging issues are as bad as the initial wave of trying to steal credentials, some are just adding ridiculous messages in Russian.

This implies but does not establish the nationality of attackers. While Arch has contributors from all over the world, it is commonly cited as being a Canadian distribution (example, see below). https://distrowatch.com/table-mobile.php?distribution=arch

[–] ScoffingLizard@lemmy.dbzer0.com 23 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

I remember the good ole days when nobody cared enough about Linux to spread malware to it. Sigh. All these techbros that need to j their d to their power trips, dystopian surveillance, and shitty AI companies have probably started this. I even noticed a Linux hate sub on Lemmy. Imagine there being enough people forced to use Linux to create a hate community where they favor Microslop. Such strange times we live in.

[–] SocialistVibes01@lemmy.ml 2 points 3 weeks ago

Time to GNU/BSD become a thing

[–] m532@lemmy.ml 18 points 3 weeks ago (1 children)

"Foreign hackers"

Foreign to who?

The article never said "foreign", you made that up.

[–] lavember@programming.dev 2 points 3 weeks ago

I guess if youre not from the US theyre "foreign"

[–] Calfpupa@lemmy.ml 12 points 3 weeks ago (1 children)
[–] tired_fedora@lemmy.ml 13 points 3 weeks ago (1 children)

Then they should've included a short TLDR even harder

load more comments (1 replies)
[–] excel@lemming.megumin.org 4 points 3 weeks ago

AUR is still working as intended. It’s basically a public wiki of shell scripts, it was never intended to be secure in the first place. It has always been the user’s responsibility to review everything or avoid using it.

[–] yesman@lemmy.world 45 points 3 weeks ago (6 children)

The command pacman -Qm will display every package from the AUR on your system. You can then search the list of compromised packages.

[–] HaraldvonBlauzahn@feddit.org 5 points 3 weeks ago* (last edited 3 weeks ago)

And don't forget that a system compromise means you need to re-install all in order to re-gain control of your system. Without the malware of course.

Edit: I see downvotes... Some people don't seem to understand why running malware permanently destroys a system's integrity. I do not have more time today - can somebody explain for me why?

[–] christian@lemmy.ml 4 points 3 weeks ago* (last edited 3 weeks ago)

To be clear, -Qm displays installed packages not currently in the repositories. This will include AUR packages, but I avoid the AUR (except for davmail years ago) every once in a while I'll run it just to check and sometimes it finds packages.

When you install things from the main repos the dependencies get installed too, and if those dependencies are no longer needed they'll be removed from the repositories. (I also have a bad habit of forgetting --asdeps when installing optional dependencies.) Sometimes they'll conflict with a new dependency and pacman will ask to remove and replace them, but other times the functionality has become a part of an existing package, so with no conflict to prompt removal they'll just sit unused on your install. If you haven't tried -Qm in a long while you'll probably find a few harmless currently-unused packages that were installed through the normal repos. (-Qdt will cover the other cases where dependencies remain in the repos but are now only needed for packages you don't have installed.)

Obviously -Qm will also show removed packages that aren't dependencies, a few years back my preferred pdf viewer was removed from the repositories.

-Qm will also find manually installed packages that aren't in the AUR if you ever do that.

[–] starshipwinepineapple@programming.dev 4 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

Here are some scripts that can help too

(Edit: apparently i need to say to read and understand what these scripts are doing before running them. If you don't understand what you're running then don't run them) https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14

[–] HaraldvonBlauzahn@feddit.org 6 points 3 weeks ago (1 children)

You suggest people to run more untrusted code in order to fix malware from untrusted code?

Is this a joke?

[–] 5ymm3trY@discuss.tchncs.de 3 points 3 weeks ago (12 children)

I haven't checked the scripts from OP, but i think there is a script that is provided by the CachyOS team that basically just contains a list of compromised packages and compares that to your pacman -Qm output. If it finds a match, it tells you that the compromized package X is on your system. That seems pretty reasonable.

I get your point and as always, you should check the source of the script as well as the code inside of it. Never installing anything outside of official OS repositories is probably not an option for most people. There are always pros and cons. Like in my example maybe some OS maintainers know more about the affected packages than I do with a quick search. On the other hand, the script might be outdated because the number of packages changed a lot over the last few days.

load more comments (12 replies)
load more comments (1 replies)
load more comments (3 replies)
[–] communism@lemmy.ml 38 points 3 weeks ago (1 children)

What an annoyingly uninformative title. Better title: a lot more compromised AUR packages have been found since our last update.

"A lot worse" is intentionally vague to get people to click.

load more comments (1 replies)
[–] GaumBeist@lemmy.ml 21 points 3 weeks ago (1 children)

At least some level of human review is going to be needed.

So... completely negating the point of a User Repository??? Introduce some kind of authoritative oversight, and it's essentially just another regular repository, erasing all the benefits of the AUR. The whole point of the distro slapping a huge disclaimer of "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk." at the top of the homepage is because these kind of compromises are the trade-off one makes

[–] HaraldvonBlauzahn@feddit.org 3 points 3 weeks ago

Anyone can publish his PKGBUILD script on their codeberg or github page.

[–] SocialistVibes01@lemmy.ml 13 points 3 weeks ago (6 children)

Me, a Debian user, watching that shitshow 😎

[–] f3nyx@lemmy.ml 18 points 3 weeks ago (3 children)

Debian users should receive their news 6-12 months after everyone else, change my mind

/s

[–] PushButton@lemmy.world 11 points 3 weeks ago (4 children)

Some people likes tested and stable software. It's weird.

[–] HaraldvonBlauzahn@feddit.org 4 points 3 weeks ago

Don't forget that all the Arch users are doing a good part of that testing, too. Arch is a boon to Linux in general.

load more comments (3 replies)
[–] GaumBeist@lemmy.ml 5 points 3 weeks ago* (last edited 3 weeks ago)

That's optimistically quick

Sincerely,

A Debian user

[–] ATS1312@lemmy.dbzer0.com 3 points 3 weeks ago

Should? Don't you mean already do?

[–] DasSkelett@discuss.tchncs.de 9 points 3 weeks ago (2 children)

Huh, you really feel schadenfreude over another reputable project being hit by/having to deal with malware? And all the people who might be affected by it?

That is not something that would ever cross my mind.

load more comments (2 replies)
[–] SocialistVibes01@lemmy.ml 4 points 3 weeks ago* (last edited 3 weeks ago)

Whoa, this is blowing up. Chill, guys. I really think that sucks. If anything, with Arch being bleeding edge and all of that, at least you're showing early the tough wake up the other distros will have to do in relation to malware after Linux' increasing popularity. Time to brush those SELinux and apparmor bits, even.

But, now, we Debian users are okay, (btw, 😎).

[–] Holytimes@sh.itjust.works 4 points 3 weeks ago (4 children)

Upside to Debian! Never have to worry about shit like this. Downside to Debian, you have to use Debian.

load more comments (4 replies)
[–] myszka@lemmy.ml 3 points 3 weeks ago* (last edited 3 weeks ago)

Me, a NixOS user, watching folks fighting over a bunch of legacy distros 😎😎😎

[–] prole@lemmy.blahaj.zone 3 points 3 weeks ago (2 children)

Nothing says "socialist vibes" like gloating over other Linux users

load more comments (2 replies)
[–] VirtuePacket@lemmy.zip 12 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

I think I'd be satisfied with just not allowing people to take over orphaned packages. That seems like a glaring attack vector and closing it would not harm the AUR in any way.

And yea, arch (and its derivatives) probably should not ship with AUR helpers pre-installed.

[–] Kazel@lemmy.dbzer0.com 15 points 3 weeks ago* (last edited 3 weeks ago) (3 children)

arch doesn't ship an aur helper pre installed. It's the derivates leeching the arch aur infrastructure and preinstalling aur helpers suggesting it's safe to use as is

load more comments (3 replies)
[–] sonalder@lemmy.ml 12 points 3 weeks ago* (last edited 3 weeks ago) (3 children)

AUR has never been a good idea. I don't use it and this news proved me right.

Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.

Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that's why I stick to my official distro packages (and sometimes also some flatpak but from official sources)

[–] communism@lemmy.ml 15 points 3 weeks ago (1 children)

It's just a repository of user-contributed packages. It's no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that's on you. It's basic internet safety to not automatically trust random scripts you find on the internet.

[–] sonalder@lemmy.ml 2 points 3 weeks ago (2 children)

I never said that GitHub was better. I just don't feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.

Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don't understand the risk or let's say responsabilities it involves while installing packages from that source.

load more comments (2 replies)
[–] HaraldvonBlauzahn@feddit.org 5 points 3 weeks ago* (last edited 3 weeks ago) (3 children)

AUR has never been a good idea. I don’t use it and this news proved me right.

But is Arch sufficiently complete without AUR packages? It is being criticized - and rightly so - that the magnificient Arch Wiki is full of references to AUR packages. That could in fact mislead new users.

I am an happy Arch user, since about ten years... But I use it differently. I am running Debian stable on the hardware, which has all the drivers I need (after getting rid of NVidia graphics, which was just a mistake to buy). I use Debian for my work / office / productivity system, to read email, and so on.

But for some stuff, I need newer software: For trying out new features or libraries (I am a developer). For testing out new window managers. Leisure programming. And so on. I use Arch for this. After a few years of dual booting (which caused occasional breakage), I settled on running Arch in a VM. Which works fine for me.

And the last shift I am experiencing is that I use more and more the Guix package manager. The reason for this is that when one tries out a lot of things, and does only system upgrades for many years (which means not doing a reinstall, but replacing the oldstable packages with the newer stable packages), the system becomes a bit untidy over time. Old packages, scripts, and configurations accumulate, and it is hard to get rid of it without breaking things, because one just cannot delete everything one does not remember what it was needed for. And there is so much stuff in software that, after all, turns out to be not such a good idea. Yes, a fresh OS install leaves a tidy system, but it would cost a few days. (By the way, accumulating cruft in the long term is also somewhat of an disadvantage of rolling release distros.)

Now, Guix solves that, because I have a temporary, deterministic environment for every programming project (just like a Python venv). And by this way, stuff does not contaminate the base system, and is garbage collected when it is not used any more.

And, Guix has quite recent packages, similar to Arch.

Now I use Arch less and less.

[–] sonalder@lemmy.ml 3 points 3 weeks ago (5 children)

Is Guix the GNU approach to NixOS?

load more comments (5 replies)
load more comments (2 replies)
[–] HaraldvonBlauzahn@feddit.org 4 points 3 weeks ago

Minimizing the chance of malware being spread through their means.

Right. And there is another angle to that: It is far easier to turn an ecosystem into a breeding ground for malware, than to get rid of it again. Once a system has a reputation to be easily hackable, it attracts malware like spoiled meat attracts flies.

[–] nek0d3r@midwest.social 5 points 3 weeks ago (1 children)

Now's our chance, it's time for a hostile takeover from my fellow "i use nix btw"s!

load more comments (1 replies)
[–] MonkderVierte@lemmy.zip 4 points 3 weeks ago (1 children)

But why? Arch isn't a server distro and their users usually know how to keep their secrets save. A FUD campaign?

[–] Holytimes@sh.itjust.works 3 points 3 weeks ago

Sometimes it's as simple as "because they can".

They can do this so they did. Its likely no deeper then that.

[–] roserose56@lemmy.zip 2 points 3 weeks ago (1 children)

Where at "I use Arch btw" now?

[–] fxdave@lemmy.ml 14 points 3 weeks ago

I use arch btw, it's only effecting the arch user repository, which lives separately from the maintained repositories, it's not even possible to download stuff from there with pacman. Really it's just a community space, I also have packages there. You can download pre-packaged apps, so if you install them, you will be able to remove them with pacman. I think it's a great concept.

it's like a forum where some jerk writes "use 'sudo rm -rf /' to speed up the computer". Except you don't have to read it to execute their plan.

Flathub is also concerning btw. But at least those apps are containers (with too much permissions)

[–] daggermoon@piefed.world 2 points 3 weeks ago

Is the Chaotic-AUR a viable alternative? As I understand, there is some level of review.

load more comments
view more: next ›