A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
  • ExLisper@lemmy.curiana.netEnglish
    82·
    10 hours ago

    it’s more like a bunch of community install scripts for stuff that isn’t officially supported yet - for popularity or other reasons.

    I’m looking at the list of affected packages and many of them are in official debian repos. Isn’t the issue then that the official Arch repositories don’t have many packages and people have to use less secure sources? That still sounds like an Arch issue to me.

    • HaraldvonBlauzahn@feddit.orgEnglish
      2·
      3 hours ago

      Isn’t the issue then that the official Arch repositories don’t have many packages …?

      Not at all. The official Arch distribution has tens of thousands of packages and the user repository / AUR probably more than 100,000 .

      Edit: I looked it up:

      • According to distrowatch.com, the Arch Linux distribution has over 17,000 packges by now
      • Meanwhile, the number of packages in the Arch User Repository is 114,000 .
    • flying_sheep@lemmy.mlEnglish
      7·
      9 hours ago

      Arch actually has a large amount of official packages. Maybe some of the packages you’re referring to are just slightly renamed or alternate versions?

      It’s possible that in some areas it has fewer packages of course (e.g. Debian might repackage a larger subset of PyPI as Python packages), but I need the AUR for very few things.

    • Billegh@lemmy.worldEnglish
      31·
      7 hours ago

      Just because there is an official package doesn’t mean someone can’t make an aur one with the same name, or with common misspelling.