Arch Linux Malware Incident: Malicious Commits Found in 1,579 Packages (phoronix.com) 43
More than 1,500 user-contributed packages in the Arch Linux User Repository "AUR" were infected with malware, reports Phoronix:
The last message in the thread over this security incident is noting that Arch Linux developers have deleted all the malicious commits they are aware of. Cited was this list that puts the number of malware-affected packages at 1,579...
Even at 1,579 packages listed, that final updated noted, it's a "list containing many (but not all) of the affected packages".
Thanks to long-time Slashdot reader couchslug for sharing the report.
Even at 1,579 packages listed, that final updated noted, it's a "list containing many (but not all) of the affected packages".
Thanks to long-time Slashdot reader couchslug for sharing the report.
Talk about a productivity boost from AI (Score:2)
No reactions yet? My main question is which AI was used for so many attacks in such a short time.
Think of all the criminal hackers who lost their jobs!
(But I'm not actually curious enough to research which AI was used. I'd have to ask an AI, and I'm sure it would just say "It wasn't me!")
Re: (Score:2)
No reactions yet? My main question is which AI was used for so many attacks in such a short time.
This "attack" does not require technical competence or "AI" for automation. Allowing volunteers to take ownership of existing "AUR" packages may have had good intentions, but it was also an invitation for the scum to abuse this mechanism to spread malware to less cautious AUR users. There is a reason why the official Arch packages are not as easily handed to the first one to offer maintenance.
AUR (Score:4, Interesting)
AUR has been a rest home for abandoned and insecure packages for years. A lot of years. It makes Ubuntu's Universe and PPAs look like Fort Knox. Of course whenever anyone makes any less than positive comment about Arch the fanboys descend as a self-righteous, angry, stupid mob so stuff like this goes mostly undiscussed until the shit has hit the fan and been liberally distributed.
Re: (Score:2)
Re: (Score:3)
Come on, one of the big draws of Linux is how easy it is to install and update your software. "Oh we never said it wasn't going to fuck your system up with malware" deserves a Powny prize.
I'm just surprised this didn't happen earlier, and I'm someone who likes these software repos.
Re: (Score:3)
Come on, one of the big draws of Linux is how easy it is to install and update your software.
yeah and if you've ever used pacman that is 100% true. We aren't talking about pacman here.
"Oh we never said it wasn't going to fuck your system up with malware" deserves a Powny prize.
AUR is explicitly a repo for user contributions. There is no signing, vetting, or anything - anyone who can read already knows this. Again you seem to be mixing up official Arch packages from official repos via pacman, versus building whatever shit I throw together in AUR with yay. Absolutely not the same thing.
Re: (Score:2)
There is no signing, vetting, or anything - anyone who can read already knows this.
But there could, and probably should, be. It doesn't even have to be complex. Otherwise it's basically pointless for AUR to even exist.
Re: (Score:2)
Re: (Score:2)
Signing isn't the only way to add some level of security and/or accountability.
Re: (Score:2)
Arch fanboi appears and argues against point I never made.
Lol & Q.E.D.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Coding AI vs "Many Eyes" (Score:3)
Re: (Score:2)
Re: (Score:2)
Like the other idiot ...
Look up the concepts proactive and reactive and then reconsider who is the idiot in this conversation.
Re: (Score:2)
As a huge proponent of open source software, I no longer put much value in the "many eyes" argument.
OK, well you're alone in that, because every software company has telemetrics of some sort or another to take advantage of the many eyes (users) and getting reports from them.
Re: (Score:3)
The AI s are just MORE eyes looking at the code trying to find flaws. Whether the people behind those eyes use the flaws found to make the code better (by patching it) or worse (by exploiting them) is a matter of human nature.
Re: (Score:2)
Proactive rather than reactive (Score:2)
If you only say, "Many Eyes" then you haven't established what the actual quote is.
Don't need to, it's common knowledge for the audience this article applies to. Those interested in an obscure Linux distro.
]it doesn't apply to the problem in this case
Nope. Automated AI scans will do better, which is the point of the comment. Imagine if all commits were scanned by AI, perhaps the attack would have been found at the first attempt, and rejected, and 1500 packages would not have been compromised.
Here are some new concepts for you: proactive, reactive.
Re: (Score:2)
When you get the meaning wrong, then yes, it's only you to go back and learn what the actual thing was, instead of just pointing at it's memory.
it's common knowledge for the audience
Indeed, that's why your misunderstanding stood out so clearly...
Re: (Score:2)
The fact remains, AI scanning as part of a commit or merge process will be beneficial. It gets us closer to what was promised so many decades ago. When the Linux community was far more tech
Re: (Score:2)
I am quite familiar with the "promise" of many eyes.
Not only do you not understand it, but even when you're informed that you misunderstood you still don't go and refresh your memory.
That personality flaw means you're going to be a complete idiot on every single topic, you'll always be wrong about everything because you think you have a perfect memory. But you actually have a human memory, which means it's not reliable enough to lean on.
Re: (Score:2)
I am quite familiar with the "promise" of many eyes.
Not only do you not understand it, but even when you're informed that you misunderstood you still don't go and refresh your memory.
That personality flaw means you're going to be a complete idiot on every single topic, you'll always be wrong about everything because you think you have a perfect memory. But you actually have a human memory, which means it's not reliable enough to lean on.
Yet another bad guess. They just keep piling up.
Re: (Score:2)
"Many Eyes" is a good thing, but it's been oversold.
Who said that files on AUR were reviewed by "many eyes"? AUR is specifically a repository for software only very few people want to install, so it is not unlikely that you are the only one to review an AUR build script (after the uploader).
Having coding AI's scan everything will probably work out better in the long run. We're only at the early days, coding AI are also oversold in they own way, but it's a safe bet they will get better over time.
The many "security issues" LLM based bots have recently found were programming bugs that nobody intended to hide - but which were non-obvious enough that they slipped through normal reviews. I would not expect contemporary "AI tools" to find malware that has been intentio
Re: (Score:2)
"Many Eyes" is a good thing, but it's been oversold.
Who said that files on AUR were reviewed by "many eyes"?
So the "many eyes" of open source legend is false? It doesn't really happen. Open source devs just link in libraries without reviewing the code, just like those evil closed source devs do?
Re: (Score:2)
There are certainly also "open source devs" that irresponsibly include libraries from wherever, but that is a completely different topic unrelated to AUR. And unlike for closed source, in both scenarios us
Re: (Score:2)
(2) Closed source code is also sometimes available for review. Closed source sometimes has two types of license, binary and source, The source license often being more expensive. Like open source, a closed source licensee has access to the source code and the ability to modify, build, and distribute a binary. They do not have the right to distribute the source code. What open source and closed source license both do is let a user of 3rd par
Many eyes (Score:4, Insightful)
Re: (Score:2)
If we want to talk about indoctrination, we could ask why the title of this article is "Arch Linux Malware Incident". That is as misleading as if somebody wrote an article about "Slashdot Malware Incident" just because some commenter posted base64-encoded viruses in
Somebody got sloppy (Score:1)
It happens in FOSS as well. Or rather, FOSS is 90% crap, just as anything is (by Sturgeon's law). The problem is that mainstream commercial software is closer to 100% crap these days.
Re: (Score:2)
The AUR is lazy and poorly implemented. Arch users fall broadly into two categories: those who would never use AUR because it cannot be trusted and those who freely use AUR because they trust that the submitters are all other Arch users with no malicious intent. For the former, AUR is useless to exist. For the latter, AUR is a field of landmines.
Arch sucks, in general, because starting bare-bones and building up your entire OS is stupid. I'm all for modularity and being able to customize everything, and onl