[sf-lug] Malware hidden in Linux packages First Gentoo more lately Arch.
Rick Moen
rick at linuxmafia.com
Thu Jul 12 12:00:20 PDT 2018
Quoting David Rosenstrauch (darose at darose.net):
> Just thought I'd chime in as a long time (10+ years) Arch user.
David, thanks for helping out.
> However, I wouldn't necessarily conceptually equate the AUR with the
> Mozilla add-ons repo.
I wouldn't want to claim they're the _same_ in the sense of eschewing
codebases essential to many users -- and that wasn't what I was suggesting.
I merely said they were alike in being uncurated bazaars -- that
uncurated software bazaars are common, and always pose security problems
by their nature.[1]
By the way, Hadoop, Spark, and Kubernetes are certainly important to Big
Data people (such as me), but I'm sure you'll admit that they're
extremely specialised offerings.
> And I've found that if you run Arch as your primary platform -
> either as server or as desktop - then the chances are pretty close
> to 100% that you're going to need to install at least one AUR
> package (or create one yourself) in order to get your system running
> as needed.
Indeed, that's what I hear -- which creates IMO a very uncomfortable
security situation for the distribution as a whole. I hope the Arch
Linux community eventually comes up with a better solution.
[1] Viz., for example, a 2009 security flap caused by a trojaned
alleged-GNOME-theme package uploaded by nobody-in-particular to
www.gnome-look.org: https://lwn.net/Articles/367874/
(Heh, and there I was in the reader comments section, holding this same
discussion.)
More information about the sf-lug
mailing list