[sf-lug] Malware hidden in Linux packages First Gentoo more lately Arch.

[David Rosenstrauch]

On 07/11/2018 09:05 PM, Rick Moen wrote:
> Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):
> 
>>      Well this is a clever if nasty hack.
>>
>> <https://nakedsecurity.sophos.com/2018/07/11/another-linux-distro-poisoned-with-malware/>
> 
> Never, ever, ever believe self-promotion articles from anti-virus /
> security companies without careful cross-checking.
> 
> 1.  The Arch User Repository is _not_ Arch Linux.  This is like
> confusing the contents of http://addons.mozilla.org/ (a public bazaar)
> with a distro-packaged and vetted copy of Firefox.


Just thought I'd chime in as a long time (10+ years) Arch user.

I definitely agree with Rick's main points:  AUR is not the same as the 
main Arch repo, there's a big "use at your own risk" warning, Sophos was 
using this issue as propaganda, etc.

However, I wouldn't necessarily conceptually equate the AUR with the 
Mozilla add-ons repo.  The AUR tends to contain a number of packages 
that are still mission-critical for many users, but less "core", and 
which the Arch devs don't want to maintain themselves.  (For example, 
hadoop, spark, and kubernetes all reside in the Arch AUR.)  And I've 
found that if you run Arch as your primary platform - either as server 
or as desktop - then the chances are pretty close to 100% that you're 
going to need to install at least one AUR package (or create one 
yourself) in order to get your system running as needed.  (For example, 
a quick check showed that I've got over 50 AUR packages installed on my 
laptop.)

So although, yes, they do have a prominent "user beware" warning, I do 
think the Arch devs should willingly take on some additional 
responsibilities re: the AUR:

* Promptly fix security issues like the one that occurred.  (Which, to 
their credit, they did.)

* Proactively scan the AUR for problems like the one that occurred. 
(I'm not sure if they do that.)

* Treat AUR security issues seriously and non-flippantly (which they 
definitely didn't do) and communicate well to the community what 
happened and how it was addressed (which they also didn't - there's been 
complete radio silence on the arch-general and arch-announce lists re: 
this issue).


Couple of other points of interest about the AUR:

* It used to be called the "TUR" - Trusted User Repository - and only 
contained packages created by a group of "Trusted Users".  This baked in 
a level of trust to the TUR, since the TU would have responsibility to 
make sure that nothing nefarious made it into one of their pacakges. 
They've since opened that up to allow anyone to contribute packages to 
it - a good thing, IMO - however, the idea of the repo being a "trusted" 
one obviously was a casualty of that change.

* Although they still have the concept of "Trusted Users" (see 
https://wiki.archlinux.org/index.php/Trusted_Users) the role is more 
along the lines of just generally maintaining the AUR, shepherding 
popular packages from the AUR into the official repos, etc.

DR