>The absolute fucking state of Linux

https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/7EZTJXLIAQLARQNTMEW2HBWZYE626IFJ/

>>105960259 (OP)
brave chads can't stop winning

>We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.

What are the necessary measures?

mfw when I run Windows instead and haven't install updates for 3 years.

reminds me of the xz back-door that got archtroons last year

>>105960259 (OP)
>AUR
not my problem with official Debian repo for Librrwolf

>>105960310
Backup, reformat, reinstal, pray to god that your BIOS/UEFI isn't permanently fucked.

>>105960310
Delete every social/work related account, and then remove and dissolve the hard drive and the motherboard in acid

>>105960259 (OP)
One must be extra retarded to install these literally who sus packages. Its like
>Find a AUR pack named firefox-AIDS-bin
>Made two days ago by a random fag
>Go ahead and install it anyway
>Get Arch AIDS
>WOOOOOWWWW
Its mostly a nothingburger, but Im sure some retards went ahead and installed them without looking into it. Using AUR requires common sense.
Also, the community detected that shit pretty fast, so AUR is doing alright.
However, if Linux popularity increases, then AUR will become more vulnerable, so Archtroons will need to come up with some ideas to secure AUR. The vigilant eye of the community can only be vigilant to an extent

that's what you get for using operating systems ran by hobbyists and volunteers

This kills Arch Linux

linux desktop is dying.

>>105960259 (OP)
I will remind this fact to loontroons the next time they call old windows "insecure".

>>105960310
TN: the needful

maybe linux devs should think about security as much as they think about their genitals

>>105960259 (OP)
Are AUR packages audited before being accepted to the repository?

>>105960780
old windows doesn't receive security updates, so the vulnerabilities remain there

>>105960259 (OP)
This is only an issue if you explicitly installed them right? They didn't hack the maintainer of some already existing package and replace it with malware right? It was new stuff uploaded by a literally who new user out of nowhere?

>>105960971
No, why would they be.
>>105961014
Yes you would have to be a massive retard to be affected.

>>105960288
>>105960971
No and that is advertised heavily.
Using the is as secure as downloading from rando websites

>>105960342
>pray to god that your BIOS/UEFI isn't permanently fucked
wait they can do that ?

>>105960558
wrong, it just went over 5% in the US

>>105961272
With root access, of course.

>>105960780
You can install malware even on the latest version of windows if you want.

>>105960259 (OP)
People that have no idea what the AUR is are gonna shitpost this to death for the next few weeks. This isn't even the first time just the most recent.

Why the fuck does Arch exist?

>>105960451
How about just don't use aur if you don't know how to audit the files. You aren't even gonna get support if you use aur.

>>105961350
People usually download AUR pacs because they are "ricing up" their Arch experience, which is not only stupid, but a waste of time. If you want to use AUR, use it only for official shit

>>105961014
Yeah. It only got you if you installed these packages, which is unlikely as they were found and removed very quickly.
This happens every now and then. Read the PKGBUILDs, make sure they only pull from a git that you trust, and after that it's no more dangerous than running something from Github like normal. That's where most OSS comes from anyway.

>>105960451
snapshots should not be allowed to be uploaded to AUR with zero oversight. Someone should at the very least take a cursory glance and make sure it checks out. But probably the Arch team disagrees with that.

The more conservative approach would be not to have an AUR at all and just have wiki entries with installation instructions for how to install all those unsupported packages manually.

>>105960259 (OP)
Thank G*d I used Debian

>>105960451
>the community detected that shit pretty fast
Yes, and that proves it's fairly secure.
If this went unnoticed for months we'd have reasons to complain but they fixed it in a couple of days so they did good.

As for improvements I think they could implement a "peer review" system where everything has to be scanned by someone else before it gets accepted on the AUR.

>>105961410
>think they could implement a "peer review" system where everything has to be scanned by someone else before it gets accepted on the AUR
Yeah, Im thinking this is probably the future of AUR now that linux are picking up in popularity thanks to Microjeet and Steam Deck. Packages will be tested by the community first, and then they will be uploaded on the site

>>105960259 (OP)
it's easy to not risk shit like this: just don't be a tranny and use an actual OS for sane people

>>105961393
>install all those unsupported packages manually.
That makes it LESS secure not more.
The AUR is a step up from installing software from a random website or Github page.

>>105961451
Not really, AUR pkgbuilds just pull from those "random websites" or github (i.e. the software's official website/github) in the first place and automate the installation.

>>105961488
Malware gets removed from the AUR.
This story proves this.

When you host malware on your own website nobody can take it down.
Your server, your responsibility.

Not sure how Github handles malware to be honest.

>>105960323
That affected testing versions of Debian and Fedora. Arch says it never affected them, dunno if that's cope though.

>>105960259 (OP)
>patch
>patched
>fix
Imagine not thoroughly inspecting AUR source files, let alone building AUR packages named like this without eyebrows being raised

>>105961579
It infected Arch but did not activate on non-deb/rpm systems

We told you to install Gentoo. We told you to compile your own binaries.
We told you and you didn't listen.
>Arch
Not even once.

>>105961325
No you can't linuxtard, Microsoft Defender is literally there so malware can't get in
Meanwhile troonix doesn't have anything similar

>>105960259 (OP)
i will never understand updateniggers.
can't you just disable updates in arch?

>>105961630
Yes, you update whenever you want. But it's an updooter distro, the whole point is to updoot.

>>105961605
I had to remove malware from my boomer dad's Windows laptop twice.

>>105960259 (OP)
manjaro wins again

>>105961643
sounds terrible, last thing i would want after tinkering for ages with the OS is to get rekt by some pajeet using chatgpt to sneak spyware into an update

>>105961605
you know windows is malware at this point, right?

>>105961643
>install Arch
>get system running nice
>"hmm, how do I update just my browser and keep the rest of the system stable?"
>install Debian

>>105961671
Ah well updooting actually has nothing do with this malware incident. Updates from official repos have never been a security issue afaik, except for the infamous xz backdoor last year.

The issue here is this AUR which allows people to upload malware with zero oversight until after it's been online for some time.

>Removed in less than 48 hours
Yeah it's over for us.
>>105961630
This has nothing to do with updating. Somebody uploaded some shit with a legit-sounding name and then it was removed.
>>105961667
Actually retarded.

>>105961704
baited

>>105960983
Literally won't do shit, since your computer is by default firewalled by your ISPs router. You can also install software from an offline installer that has all its dependencies included, unlike loontroons that need to be connected to the (((((cloud))))) to install any program, which is probably as aids-ridden as those AUR packages in OPs pic related.
>>105961325
Its harder to catch internet aids by downloading software from developers website than using repos maintained by literallywho chink apt group.

>>105961630
The malware wasn't in updates.
"firefox-patch-bin" isn't an update of firefox, it's some random guy's own version that hopefully nobody was stupid enough to install.
It's like downloading Firefox from firefox.not.a.scam.saaar.in instead of from firefox.com

>>105961690
ok, i guess i dont know enough about arch btw

Whats the matter, janny? Having a melty from your GNU + axewound? Did my post hurt your tranny feelings? Too bad I have fuck ton of IPs to waste.

>>105961730
>You can also install software from an offline installer that has all its dependencies included
You can do it on Linux too. I can't think of any incident where a package maintainer of any distro spread malware. The xz incident for example wasn't any package maintainer, but the developer of the software.

As for trusting the package maintainer, there is the whole idea of reproducible builds.

Rare instance of the flamewar rule actually being enforced. Nice.

remember when mint was pawned too? fucking kek

>>105961813
the thread is still up, though

What are we supposed to be mad about, Librewolfbros?

>>105961801
>You can do it on Linux too.
with 5 programs in total that actually supply you with working tarballs. Want to use package manager? Ooops, you have to bend the knee to the cloud jew. Using flatpaks instead? Ooops, seems like you need to bend the knee to cloud jew as well. Maybe you downloaded .deb / .rpm file offline? Well, its 20 dependencies need internet connection, you know the drill. Meanwhile on old windows the vast majority of software comes with all the dependencies preinstalled. Big dependencies like .net framework or vc++ have offline installers as well.
>The xz incident for example wasn't any package maintainer, but the developer of the software.
>As for trusting the package maintainer, there is the whole idea of reproducible builds.
cope
>>105961813
>actually being enforced
tranny-janny cant do shit since I am literally evading right now. Get fucked.

>>105961847
This thread is neutrally and politely talking about tech without trying to start flamewars, albeit

>>105961730
your entire operating system has security vulnerabilities that are never fixed, retard
>ISPs router
dumb argument
>offline installer
even dumber argument
those offline installers are from shady websites, cracked, patched and shit

>arch users pretending they don't blindly install aur packages and most definitely do read every pkgbuild

>>105961855
>Get fucked.
impotent

>>105961834
That was way worse in comparison. Malware got distributed as the official iso. AUR incident is just "malware got uploaded to the user repository known for having malware uploaded to it and warns about potential malware, again"

>>105961932
>your entire operating system has security vulnerabilities that are never fixed, retard
couldn't care less as noone cant take advantage of them, tranny
>dumb argument
learn the basics of networking, tranny.
>even dumber argument
those offline installers are from shady websites, cracked, patched and shit
And they still work in better and more independent way than any linux software, you terminally online tranny.

>>105960259 (OP)
>>105960259 (OP)
>concerned about “remote access Trojan”
>ignore systemd

Reminder

https://www.youtube.com/watch?v=BqMf6XFacR8

>>105960339
/this - Is the gotcha that arch doesn't secure their official repos?

>>105961967
>arch users pretending they don't blindly install aur packages and most definitely do read every pkgbuild
Yes, I do, actually. It takes all of two seconds to breeze through a PKGBUILD and make sure it isn't doing anything fucky.

>>105960259 (OP)
>AUR
>firefox-*patch*-(((bin))l
I sleep

>>105960259 (OP)
>what's stopping people from replacing packages with straight malware?
>popularity
>how about replacing source code with malware?
>popularity
what a fucking joke ecosystem

>>105961603
No it didn't "infect" Arch or anyone besides Debian and Fedora.
The build system only injected malicious code in the binary if you were building on one of those systems.
You can diffoscope the Arch tarball build vs git build if you want to see for yourself.
Of course the malicious files were static in the git repo, and there was other fucky stuff in the git repo before the cleanup.
But the "infection" of the binary only triggered via tarball build on Debian or Fedora.

>>105960342
>Backup
>save the infection to reinstall later on your new ``trusted'' system
lol
It is called Flatten & rebuild. Burn it all and begin anew.

How did the malware work? Did it just create a service or what? I wonder if using Artix would have prevented it

>>105961643
The flaw with Arch's system is that the voting is weighted towards the voters real life weight.
It creates an imbalance.

>>105960259 (OP)
gentoochuds stay winning

>>105960259 (OP)

op is a moron

>>105960259 (OP)
>trannyfox
>trannywolf
>tranny loonix
Tranny ware

>>105960310
rm -rf /

Even bigger nothingburger than xz
xz:
>potential to give remote access to millions of computers
>3 years in the making
>caught before it reached stable releases
>only worked in Debian and Fedora

AUR Malware:
>already expected, community repositories are inherently unsafe, same shit as Flathub or Snapstore
>only affects Arch... users who download random packages without knowing what they are from the AUR
>almost immediately removed when detected
>no official repos affected
>no popular packages affected
>build systems not disturbed
>maintainers not disturbed
If you care about this other than "Shouldn't Arch have a little more security in the AUR with how much it's grown?" then you are a complete retard.

ITT archtroons on damage control again

>>105963056
You can probably salvage your files with clamav on a live USB. Though obviously you should have a preexisting backup not on-disc anyway.

>>105960259 (OP)
Patches and fixes for what though?
AUR is limewire all over.

>>105960259 (OP)
>The absolute fucking state of Linux
huh? those are AUR packages, i.e. submitted by randoms. would you laugh at windows if someone downloaded an .exe from a 4chan user?

Do people even use these packages?

>>105964307
>check first one
>"first submitted <4 days ago>"
>2 votes
unlikely anybody used it

Retina Macbook Pros doesn't have this problem

linux must be pretty good if this is the best people can do to discredit it

>>105960310
rollback to the btrfs snapshot that was made automatically by the pacman hook to just before you installed it

>>105963550
likely nothing at all, and are just bait named to get someone to mistakingly install it instead of another legit package

Why even host these package recipes on official infra if you're not going to at least have someone take a look at the source URIs for a hot minute?

>librewolf-fix-bin
Wew, dodged the bullet.

>>105963034
It affected TESTING repos of Debian Unstable and Fedora rawhide, didn't get into stable.
To be fair, the xz bug was something that wasn't detected by normal testing. Arch nature allows packages to be removed asap while Debian and Fedora have to test package replacements and usually takes hours after malware detection.

>>105960451
People using auch and the aur are extra retarded

>>105960259 (OP)
>installing unofficial versions of a web browser that contained to be fixed when there is literally no issue that needs to be fixed with any of those browsers.
I mean, what did you expect?

>>105961579
It was a state actor so he only wanted to infect useful systems used by organisations. Not some system used by some trannie neets full of child porn.

>>105961282
Exactly. More users there are, more enshittification ensue. The few benevolents will not be able to handle the mass.

>>105960451
>However, if Linux popularity increases, then AUR will become more vulnerable, so Archtroons will need to come up with some ideas to secure AUR
We already did: voting system

>>105960259 (OP)
Why would you install firefox from the AUR in the first place? Retardation?

>>105964696
firefox from the official arch repository is customized. same for chromium which has an archlinux google api key allowing google to track everything from arch users. you are so naive.

>>105960259 (OP)
It was some random’s spin-off patches.
That does give me an idea though.
>Upload malware to AUR on an alt.
>Self report to gain recognition as a malware-buster.
>????
>Profit
Seems like it would be a really easy grift.

>>105960259 (OP)
Obviously done by a chrome user. (witness me)

>>105960259 (OP)
>AUR
next your gonna tell me about that "gold" chain you bought from a gypsy?

I'm going to repost this in EVERY. tranny gayming thread on /v/
You can't stop me
You can mass report me
But I WILL shit on your troonix gayming thread on /v/

>>105967836
sir this is /g/