Russian Spam and Profanities Are Now Plaguing the Arch Linux AUR (phoronix.com)
- Reference: 0183907446
- News link: https://it.slashdot.org/story/26/06/16/0618239/russian-spam-and-profanities-are-now-plaguing-the-arch-linux-aur
- Source link: https://www.phoronix.com/news/Arch-Linux-AUR-Russian-Spam
> Nicolas Boichat with his AI/LLM detection bot [3]detected some questionable messages appearing in AUR content. Russian messages were being added post-install to the bashrc / zshrc / Fish configuration, etc containing offensive messaging. Those commits happened on the 14th, after the recent malware fiasco. And then over the past day reporting on dozens of AUR packages having similar Russian messages containing offensive language.
>
> The [4]latest update on that thread indicates more than 70 AUR packages having this Russian spam / offensive messaging. Among those various Python packages, Ruby packages, Llama.cpp, and others. At least the AI/LLM bots are proving helpful here in proactively picking up on some of the AUR abuses until the fundamental situation can be better handled.
[1] https://linux.slashdot.org/story/26/06/13/1817206/arch-linux-malware-incident-malicious-commits-found-in-1579-packages
[2] https://www.phoronix.com/news/Arch-Linux-AUR-Russian-Spam
[3] https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/message/GJURAWWOV453HZDBESQT3L26J2572VDV/
[4] https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/message/2YQSHTC27MOKDDKHZTH2BJGTEN2CYC7W/
This is validating my decision to stay on Debian (Score:5, Interesting)
I run Linux as a desktop and have done so since around 2008. I started with Ubuntu, and after a while (probably around 5-10 years) I moved to Debian. Every once in a while, I'll read about one of the new Arch-based distros (Manjaro, Calyx OS) and decide to give it a try. After about a few hours, I realize that some of the programs I use on a regular basis are not available (easily) outside of the AUR. When you read about the AUR as an intermediate user, you understand how dangerous it can be, but you feel like it's necessary to use Linux as your main computing device. There are applications that are packaged as DEB/RPM but not for Arch, and are not available as Flatpaks (or AppImages or Snaps). Some of these are proprietary.
One in particular which comes to mind is Insync, which I use to synchronize Google shared folders to my home directory. It is much easier to use than rclone and the latency is a lot lower. If I move to an Arch-based system, I have to get that from the AUR. Now, I do feel like I have the experience to read the PKGBUILD and audit it for weird stuff going on, but I'm also not arrogant enough to believe that someone could not sneak something by me.
I use Debian Stable, and all of my software is available. Some of the software is dated, obviously; I'm running KDE 6.3.6 and kernel 6.12. But in general, I don't have huge issues with that, and if there was an application I needed to update, I probably could do it either with Flatpaks or compiling from source. Honestly though, I cannot remember the last time I needed to do that. Maybe it helps that I'm not a professional software developer and I don't need access to the latest versions of everything. I also know that some Debian users address those issues by running testing or unstable.
There's a part of me that wonders if these attacks are related to the surge in popularity of Calyx OS. I teach high school, and I noticed last year that one of my ninth graders was running KDE on his laptop. I asked him what distro he was running, and he said Calyx OS. I was surprised by that - most of the time when I run into a high school kid they're running something in the Debian family (including Ubuntu and its derivatives).
Re: (Score:3)
I'm also a Debian fan, but I'm not sure this Arch issue validates anything for Debian. How is their supply chain different/improved/more-secure? Please note, I simply don't know. If someone could confirm this is far less likely on Debian because yada yada yada.., that'd be great.
Re: (Score:3, Insightful)
It's far less likely because Debian has no user repository like Arch.... plus their packages are a year out of date on a good day.
Re: (Score:2)
Thanks! I overlooked the user repo part.
Re: (Score:2)
We generally trust packages produced by distro developers, whether it's Arch, Debian or others. A distro packager could be a mole, but it's easy for them to get caught. What we don't trust are user repositories, where anons like you and me can publish a binary. Assuming the Debian developers are trustworthy, you can trust Debian. If you take your Debian and add PPA (custom repositories, originally developed for Ubuntu) then you're susceptible to malware added by the PPA publisher.
Personally I use Gentoo. As
Re: (Score:2)
> What we don't trust are user repositories, where anons like you and me can publish a binary.
Great point supporting the wrong argument. AUR does NOT host binaries - there is NO WAY for anon to make a binary available directly to Arch users. Let's all get this clear.
What is the AUR?
The AUR (Arch User Repository) is a community-driven repository of build scripts called PKGBUILDs. It doesn't host packages themselves — it hosts recipes that tell your system how to fetch sources and compile/package software locally.
What it hosts: PKGBUILDs for software not in the official repos — proprieta
Re:This is validating my decision to stay on Debia (Score:5, Informative)
The difference between the AUR and Debian repositories is that there's a natural level of checking built into the process. For simplicity, I'm going to completely ignore Debian Stable and talk about Unstable, which ultimately gets far less scrutiny due to less security team involvement.
Each category (or group) of packages generally has a team of people who work together to commit changes to Unstable, aided by senior developers who have non-maintainer upload rights to dip in and help out if packages end up lacking named maintainers. There's no concept of a random person with no history of contributing immediately taking over orphaned packages, and while a package maintainer owns the responsibility of making sure changes work, folks definitely aren't alone when it comes to QA/QC.
Debian also splits out everything so that any potentially reusable dynamic libraries can be re-used by as many other packages as possible. If there's a new dependent library being introduced which no other package already makes use of, it needs to be added to the Debian archive as a brand new package, where the process is ultimately overseen by a separate team of people. Even if all that scrutiny doesn't pick up on something, Canonical engineers also use Debian's packages as the basis for Universe/Multiverse in Ubuntu and have to perform their own checks before syncing over new packages in from Debian Unstable when MOTU ("Masters Of The Universe" aka. community contributors mentored by Canonical) put in a request as part of maintaining the packages they look after.
The end result is potentially even better scrutinised than the packaging approach typical macOS and Windows apps receive, due to the number of separate individual maintainers taking responsibility for dependent libraries, as opposed to an independent or small team of developers taking responsibility for everything. However, it does also mean if one common library gets subverted in some way, especially by a compromise of the upstream project (as people saw with the xz backdoor attempt) then the net impact could be far wider than with vendored libraries (how packages work with macOS/Windows) where developers can choose to stick with older versions for their application for longer. Of course, that's somewhat mitigated by that thing I'm ignoring called Debian Stable... =]
Note: I'm not a Debian Developer (just someone who ends up reading way too much) so it's possible some of what I'm saying isn't as accurate as it could be, but I hope this gives you a general gist of the differences.
Re: (Score:2)
Thank you! This goes even further than the above comments :-)
Re: (Score:2)
No - the difference between AUR and Debian repos is that Debian repos are 'official' binaries, while AUR is a bunch of random build scripts uploaded by potentially anyone. In other words, exactly the same difference as between AUR and Arch repos.
Re: (Score:1)
You can do the usual ./configure make sudo make install thing on the actual source, even if it's not the arch way, and writing PKGBUILDS for packages isn't super difficult, even my dumbass has an AUR package because waterfox wasn't getting updated fast enough.
And this is not new (Score:2)
We used to call them griefers. Now they pretend to have meaning.
Stay away from mah Gentoo (Score:2)
Filthy Ruzzian bots begone... go meat assault in Donbas.
Re: (Score:2)
Odd. My first suspect was either Ukrainians or some of their sympathizers.
Re: (Score:2)
What possible motive would Ukraine have to fuck with a poorly maintained linux distribution?
Snowden (Score:3)
Don't forget what Snowden revealed. The NSA routinely covers its tracks by salting its code with comments in foreign languages. This might actually be evidence of your tax dollars at work, or not. We'll probably never know for sure unfortunately. That, and AI Slop, are the sad part. We don't know what to believe, only that most of what we see online, or on the mainstream media, is fake.
Blyatiful! (Score:2)
I told them that Katyusha, my Russian Blue cat couldnâ(TM)t be trusted with commit rights.
I guess they had to find out the hard way.
Sad Days For Arch (Score:3)
This will severely damage Arch, possibly beyond repair.
It will be sad to see Arch go. I've personally never used it. But, I have and do use their documentation. Arch docs are fantastic, no matter what distro you use.
Arch will be fine (Score:2)
AUR is not an official repository for Arch distributions. It requires extra tooling; you can't install from the AUR in pacman, and AUR has historically been a risk for breakages with the official updates. It's always been a known risk, and in the age of AI malware, it will have to be adapted or removed.
There's nothing wrong with the actively maintained Arch distributions. These are the same pains every distribution has to deal with presently.
Re: (Score:2)
> These are the same pains every distribution has to deal with presently.
No one outside the Arch (and it's derivatives) community is dealing with any external pains at the moment.
Re: (Score:2)
The 'pain' here is that Arch wanted to provide a way for users to manage 'ad hoc' packages within the pacman system and make them available to other users if necessary. For reference I can find examples of only 4 other linux distros that support an equivalent:
Gentoo GURU (Gentoo User Repository), an official user-contributed overlay. Also the broader ebuild overlay ecosystem.
NixOS NUR (Nix User Repository), explicitly modeled on the AUR.
Slackware SlackBuilds.org, community build scripts (though run inde
Build Script? (Score:2)
Isn't AUR showing you the build script, before it executes it? You certainly read what shell script from some unknown user you're running, didn't you?
This is utterly unsurprising. (Score:2)
Russia always was our Arch enemy.
Archlinux is just tech dimwits and hackx0r mimics (Score:2)
Archlinux developer and d00fus are synonymous, no wonder they are helpless and disoriented right now.
Re: (Score:2)
> The beauty of the open source lie, that there are any eyeballs at all.
Yeah, we never discovered this problem, because there are no eyeballs at all.
If you can't learn to think, at least learn to read.