You never realize how insecure the AUR is until you create a package for it...

So I got bored today and decide to package OpenSUSE's Greybird Geeko theme in the AUR just for fun. It was actually pretty easy since I could just base it off of Manjaro's PKGBUILD file for the regular Greybird theme. However, I was shocked at how easy it was to create an account and just sort of "push" whatever you want.

Of course, I didn't do anything like that because I'm not a psycho... I think. But this makes me want to take a better look at the build files in pamac-manager or yay before I install anything.

This post was made by Flatpak gang!

2 Likes

AUR is arguably the safest of any 3rd party repo because the PKGBUILD files are extremely easy to read and totally transparent. If you choose to randomly install packages without seeing what they do first then you open yourself up to a lot of risk. Especially if you grab a package made by a new packager.

When you update, you can see the diffs of the PKGBUILDs so you can quickly see what changed which is even easier.

Compared to a 3rd party repo where things are often hidden/locked up in a binary it is demonstrably safer.

16 Likes

I know, I'm just surprised that it is THAT easy to put something up there...

It's called Arch User Repository for a reason :grin:

3 Likes

Were you expecting a full background check? :wink:

5 Likes

More like a quick review or something...

DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.

Also, on the Arch wiki, we can read:

Installing packages from the AUR is a relatively simple process. Essentially:

  1. Acquire the build files, including the PKGBUILD and possibly other required files, like systemd units and patches (often not the actual code).
  2. Verify that the PKGBUILD and accompanying files are not malicious or untrustworthy.
  3. Run makepkg -si in the directory where the files are saved. This will download the code, resolve the dependencies with pacman, compile it, package it, and install the package.

So yes, AUR is more meant to be convenient for its users than to be secure. The user has his share of responsibility when using AUR on that aspect: he/she has to verify that the build files are not malicious (which can be done since you have total access to how the package is built).

Of course, if something malicious is found on AUR, it has to be reported to the people responsible of AUR so they can verify the claim and delete the content if it is indeed malicious. But they won't monitor each of the ~60k packages available on AUR individually.

5 Likes

I would really like if there is a review process like in *BSD ports/pkgsrc, however that are a single VCS repository I guess

1 Like

Yeah, even just a "verified" check-mark or something would be helpful.

UPDATE: Okay so it has come to my attention that a request was put in to have my package deleted because it was "Made by a Manjaro user to prove how easy it is to misuse AUR." This was certainly not my goal and I don't really understand how one could interpret this thread that way.. If anyone here is concerned about that you can easily check the PKGBUILD file anyways.

Edit: It was rejected so all fine

I seem to sense some ''official'' Manjaro ambivalence about the AUR.

On one hand you're ''on your own'', and AUR packages are not ''officially supported''. That one is easy to get, it just couldn't be another way.

Yet the AUR is undeniably one of the main and fundamental attractions of Arch based distros, besides the ease of customized installs and the rolling thing.

Is there a sticky somewhere at least, that would give newcomers a general idea about how to ''check'' AUR packages, see what they do, and most importantly be aware of what they shouldn't do?

You mean like the Manjaro AUR wiki page?

8 Likes

Goddamn!!

OK, I just knew I missed something when always turning off that welcome thing at every boot, and that sooner or later it would come biting your back!

Its pretty simple.
In order to be safe you need to understand.
If you cant comprehend whats going on in a PKGBUILD then you cant safely use the AUR.
(but thats the same as anything else - you couldnt safely download a project and install it if you dont understand the install script ... and forget about some random exe - there would be no way to easily inspect it whether you know what you are doing or not)

1 Like

But does it (the Wiki) say anything about what to look out for regarding risks, and what AUR packages shouldn't do?

I realize that this this is an extremely wide subject, maybe impossible to give a general overview of. Most new users would be able to see the install script, but then have no idea about what to look out for regarding security.

It is virtually impossible to cover all possible 'bad commands'.
Even if such a checklist were somehow created ... no one would read the thousands of lines.

Its anything undesirable or malicious.
A random curl from myminingsite.co/virus.sh would probably count.
Maybe stray rm lines removing things from your system.
Or if the file source is not from the proper upstream project host.
etc.

4 Likes

Damn, i only have half a background.

Sheesh, with a narrow-minded attitude like that i can't even begin to think what mean things you might say about my DIY neurosurgery hobby.

3 Likes

Ah Yes the Selflobotomizer kits, I've sent more than a few people one.

1 Like
  • First of all, look up the package on aur.archlinux.org, see the comments, upvotes, popularity, name of the packager, etc... If it is not a popular package, be extra careful when inspecting the PKBUILD file.

What to look for in the PKGBUILD file?

  • Look for anything obviously malicious, like rm, mv commands, any output redirection, any mention of /dev (like /dev/null, /dev/sda, /dev/zero, /dev/random), mkfs, any call to pacman, systemctl, anything that touches grub... stuff like that.

  • Look for any command that does stuff in your home directory. Typically, building and installing packages should not touch anything in the home directory. If you find something like that, be very suspicious and make sure you completely understand what that command does.

  • Look for anything that looks intentionally obfuscated. Anything that is written in an unclear way, with many semicolons, &&s and ||s, lots of brackets, sed, awk, etc...

  • Make sure the software comes from a trustworthy place, whether it's a binary distribution or the source code. Check all the URLs in the script, make sure they are official pages for the software you're installing. Look for any downloads of external scripts, with curl or wget. Beware of random Github places.

  • Use common sense.

Also, when you install something from the AUR, make sure to upvote it on aur.archlinux.org, just to let everyone know it's a good package. If you notice anything malicious, do not neglect to report it. Upvoting good packages and reporting bad ones is the easiest way to improve the AUR for everyone.

I completely agree with @dalto that the AUR is one of the safest ways to install software, just because it is so transparent. But it does not tolerate just looking up the package in Pamac and clicking on the Build button, it requires that the user knows what's going on. That's why I recommend trying to build at least one package manually, to understand what's going on, before using an AUR helper like pamac or yay.

15 Likes

This is actually really good advice... Also I'd like to mention to look for anything to do with pacman or possibly even grub too.

1 Like

Forum kindly sponsored by