Arch Linux Malware Incident: Malicious Commits Found in 1,579 Packages

More than 1,500 user-contributed packages in the Arch Linux User Repository "AUR" were infected with malware, reports Phoronix: The last message in the thread over this security incident is noting that Arch Linux developers have deleted all the malicious commits they are aware of. Cited was this list that puts the number of malware-affected packages at 1,579...

Even at 1,579 packages listed, that final updated noted, it's a "list containing many (but not all) of the affected packages".
Thanks to long-time Slashdot reader couchslug for sharing the report.

Talk about a productivity boost from AI

[shanen]

No reactions yet? My main question is which AI was used for so many attacks in such a short time.

Think of all the criminal hackers who lost their jobs!

(But I'm not actually curious enough to research which AI was used. I'd have to ask an AI, and I'm sure it would just say "It wasn't me!")

AUR

[julian67]

AUR has been a rest home for abandoned and insecure packages for years. A lot of years. It makes Ubuntu's Universe and PPAs look like Fort Knox. Of course whenever anyone makes any less than positive comment about Arch the fanboys descend as a self-righteous, angry, stupid mob so stuff like this goes mostly undiscussed until the shit has hit the fan and been liberally distributed.

Re:

[Baloroth]

I have literally never seen anyone who uses Arch make any claims whatsoever about the AUR being a safe or secure place to get packages. It's a standard disclaimer to install packages from there at your own risk. Which is fine: Arch is not at all designed to be newbie friendly to begin with, so having an extended package universe that is "install at your own risk" is fine: you should use Arch iff you're very well aware of the risks of something like the AUR.

Re:

[AmiMoJo]

Come on, one of the big draws of Linux is how easy it is to install and update your software. "Oh we never said it wasn't going to fuck your system up with malware" deserves a Powny prize.

I'm just surprised this didn't happen earlier, and I'm someone who likes these software repos.

Re:

[robot5x]

Come on, one of the big draws of Linux is how easy it is to install and update your software.

yeah and if you've ever used pacman that is 100% true. We aren't talking about pacman here.

"Oh we never said it wasn't going to fuck your system up with malware" deserves a Powny prize.

AUR is explicitly a repo for user contributions. There is no signing, vetting, or anything - anyone who can read already knows this. Again you seem to be mixing up official Arch packages from official repos via pacman, versus building whatever shit I throw together in AUR with yay. Absolutely not the same thing.

Re:

[Bahbus]

There is no signing, vetting, or anything - anyone who can read already knows this.

But there could, and probably should, be. It doesn't even have to be complex. Otherwise it's basically pointless for AUR to even exist.

Re:

[julian67]

Arch fanboi appears and argues against point I never made.

Lol & Q.E.D.

Re:

[svx]

as an Arch user, I couldn't care less - never used AUR, never will... when people install some crappy "community" software, they better deal with the consequences

Coding AI vs "Many Eyes"

[drnb]

"Many Eyes" is a good thing, but it's been oversold. Having coding AI's scan everything will probably work out better in the long run. We're only at the early days, coding AI are also oversold in they own way, but it's a safe bet they will get better over time.

Re:

[organgtool]

As a huge proponent of open source software, I no longer put much value in the "many eyes" argument. For me, the primary security advantage is the superior response time that many open source projects have to major vulnerabilities compared to their proprietary counterparts. Also, documentation and support are usually better for open source projects. Oh, and the feature set of mature open source projects is often better. Finally, if the owner/maintainer goes off the deep-end, there will likely be a fork

Re:

[Aighearach]

Like the other idiot, you repeat "many eyes" but forgot the rest of the sentence and what it actually applies to.

In addition to not meaning the things you talk about, it also doesn't make you a sandwich.

Re:

[Local ID10T]

The AI s are just MORE eyes looking at the code trying to find flaws. Whether the people behind those eyes use the flaws found to make the code better (by patching it) or worse (by exploiting them) is a matter of human nature.

Re:

[drnb]

"Eyes" available to both open and closed source code. A potential win for all.

Re:

[Aighearach]

If you only say, "Many Eyes" then you haven't established what the actual quote is. (And probably don't remember, assuming good faith. Although that's a poor assumption on slashdot, neckbeards making points they know are easily refuted is par here)

If you say the rest of the sentence, then you find out it doesn't apply to the problem in this case; only to the solution having been effective once implemented. (ie, the packages were found and removed)

Being able to find and fix a known bug (obviously) isn't a sh

Many eyes

[CustomBuild]

Are blind when everyone is indoctrinated into the same cult.

Somebody got sloppy

[gweihir]

It happens in FOSS as well. Or rather, FOSS is 90% crap, just as anything is (by Sturgeon's law). The problem is that mainstream commercial software is closer to 100% crap these days.