The AUR is unsafe by design. It’s not intended to be something you just install from willy-nilly. It’s intended to be a helpful way for arch users who know what they’re doing to exchange a convenient way to install arbitrary packages. But you should always be just as wary of it as copy/pasting shell code from a random person on the internet.
The AUR is kind of a trap. It can be useful but it has the warnings it has for a reason. Maintainers are not vetted so you depend on them both to be benevolent and competent and neither are reliable.
No one should really use it without taking the time to understand pkgbuild but you have people recommending AUR helpers like yay and tying AUR updates to regular system updates which is a terrible idea
And just to be very explicit why this is an issue: each time the package is upgraded through an automated update, the PKGBUILD may change (e.g. to adapt to different dependencies, file structure, etc introduced with new app version).
That also means an AUR maintainer can smuggle in malware with any of those updates, even if you checked the original PKGBUiLD when you installed. And, anyone can request taking over maintenance for unmaintained packages, so it can even happen if the original maintainer was benevolent.
Always check PKGBUILD files on upgrade, even if just a glance. If I remember correctly yay had a function to always show you PKGBUILD diffs before updates, not sure if that was automatically enabled.
Yeah, it’s never sat very well with me. I’ve gone through cycles where I’ll use a good bit of AUR, to none at all. I had been using a handful of things, but realized that almost all of it was Python stuff that I could more safely install with pip or uv, so I’ve migrated all of that. The one thing left is Manuskript, and it hardly gets updates anyway.
I just run paru when I do system upgrades. Very convenient to have one command doing everything in a somewhat safe way.
Of course, inspecting the PKGBUILDs still doesn’t protect us from having the actual software repositories compromised. Just because only the source hash changed doesn’t mean the software doesn’t have malware now.
That’s where I draw the line regarding trust. I don’t feel like going into to each release of each AUR package I have installed to check code to see if malware was injected. 😅
It depends. There are trusted well known packages and those can be trusted in my opinion. But I wouldn’t install any random package someone made.
And how would moving the packages into official repo solve anything? The reason it’s in the AUR is because the arch maintainers don’t have time to maintain packages.
in theory? getting rid of paru and friends, manually reviewing the pkgbuild and the source of whatever it is installing
realistically? nothing. the AUR is a glorified repository of build scripts anyone can upload. the script or the package itself can ship malware
the AUR is mostly the same as downloading and running random exes on windows. you should avoid it, make it as manual as possible (forcing you to double check what’s happening) and be able to review the installer/package or trust someone who can vouch for its safety
paru shows you the PKGBUILD diffs on upgrade, so you can review then and deny upgrades.
But realistically I am not going to go into the code itself on my installed packages to check for malware or other types of attacks. That’s too time consuming for my risk level, and requires more knowledge than can be expected, to be honest.
Edit: but maybe you’re talking about when first installing a package? Come to think of it, I’m not sure it shows the PKGBUILD at that point. 🤔
the diff is noise in the potentially big update log. the point of doing it manually is forcing you to take your time and verify stuff one by one. also pkgbuild is just one place, seeing the hash changed means nothing if you don’t check what that archive contains, or seeing the install steps don’t change mean very little when the installer invokes other scripts anyway
i understand that you aren’t going to vet the source itself, but at that point you are exposing yourself to this kind of malware without mitigation. the aur is unsafe by design (fast way to publish a package without any involvement from anyone else) and should be avoided whenever possible. im not an arch hater, i too run arch
the diff is noise in the potentially big update log. the point of doing it manually is forcing you to take your time and verify stuff one by one.
I guess it depends on your discipline. If I’m already so inclined that I’d go to the lengths of forcing myself to check each package “manually”, I’m also going to be so disciplined to check each diff when paru pauses the upgrade process for me to do so. It’s the same thing for me.
also pkgbuild is just one place, seeing the hash changed means nothing if you don’t check what that archive contains, or seeing the install steps don’t change mean very little when the installer invokes other scripts anyway
Yup, and as I said, that’s where I draw the line with my trust and my threat level. I don’t have a lot of important data.
i understand that you aren’t going to vet the source itself, but at that point you are exposing yourself to this kind of malware without mitigation. the aur is unsafe by design (fast way to publish a package without any involvement from anyone else) and should be avoided whenever possible. im not an arch hater, i too run arch
Yup, I’m aware of the risks I’m taking. 🙂 That’s the important part to me. I really don’t have time to vet sources with two small kids and a full-time job, and hobbies and exercise every week. It’s impossible, and a sacrifice I’m willing and forced to make if I want some life balance. Quite a simple choice.
What can be done to prevent this from happening to the AUR?
The AUR is unsafe by design. It’s not intended to be something you just install from willy-nilly. It’s intended to be a helpful way for arch users who know what they’re doing to exchange a convenient way to install arbitrary packages. But you should always be just as wary of it as copy/pasting shell code from a random person on the internet.
The AUR is kind of a trap. It can be useful but it has the warnings it has for a reason. Maintainers are not vetted so you depend on them both to be benevolent and competent and neither are reliable.
No one should really use it without taking the time to understand pkgbuild but you have people recommending AUR helpers like yay and tying AUR updates to regular system updates which is a terrible idea
paru always shows you the diff of the PKGBUILD on upgrade, so no need to worry about adding it to an alias that does both.
In fact, just running
paruis the same as runningAt the end I review the PKGBUILDs and make sure everything looks reasonable. Usually it’s just new source hashes, but not every time.
What do you mean by “tying AUR updates to system updates” ?
As in updating the AUR when you update your system packages, which come from known sources.
And just to be very explicit why this is an issue: each time the package is upgraded through an automated update, the PKGBUILD may change (e.g. to adapt to different dependencies, file structure, etc introduced with new app version).
That also means an AUR maintainer can smuggle in malware with any of those updates, even if you checked the original PKGBUiLD when you installed. And, anyone can request taking over maintenance for unmaintained packages, so it can even happen if the original maintainer was benevolent.
Always check PKGBUILD files on upgrade, even if just a glance. If I remember correctly yay had a function to always show you PKGBUILD diffs before updates, not sure if that was automatically enabled.
Paru shows them by default, and it’s basically impossible to disable.
It is a little too easy to skip past it, though.
Yeah, it’s never sat very well with me. I’ve gone through cycles where I’ll use a good bit of AUR, to none at all. I had been using a handful of things, but realized that almost all of it was Python stuff that I could more safely install with pip or uv, so I’ve migrated all of that. The one thing left is Manuskript, and it hardly gets updates anyway.
Paru shows you the diffs by default.
I just run
paruwhen I do system upgrades. Very convenient to have one command doing everything in a somewhat safe way.Of course, inspecting the PKGBUILDs still doesn’t protect us from having the actual software repositories compromised. Just because only the source hash changed doesn’t mean the software doesn’t have malware now.
That’s where I draw the line regarding trust. I don’t feel like going into to each release of each AUR package I have installed to check code to see if malware was injected. 😅
The way to prevent it is to get more stuff into the official repos so people aren’t forced to rely on AUR in the first place.
It depends. There are trusted well known packages and those can be trusted in my opinion. But I wouldn’t install any random package someone made.
And how would moving the packages into official repo solve anything? The reason it’s in the AUR is because the arch maintainers don’t have time to maintain packages.
in theory? getting rid of
paruand friends, manually reviewing the pkgbuild and the source of whatever it is installingrealistically? nothing. the AUR is a glorified repository of build scripts anyone can upload. the script or the package itself can ship malware
the AUR is mostly the same as downloading and running random exes on windows. you should avoid it, make it as manual as possible (forcing you to double check what’s happening) and be able to review the installer/package or trust someone who can vouch for its safety
paru shows you the PKGBUILD diffs on upgrade, so you can review then and deny upgrades.
But realistically I am not going to go into the code itself on my installed packages to check for malware or other types of attacks. That’s too time consuming for my risk level, and requires more knowledge than can be expected, to be honest.
Edit: but maybe you’re talking about when first installing a package? Come to think of it, I’m not sure it shows the PKGBUILD at that point. 🤔
It does, the diff shows the full files.
Ah right, perfect. Thanks!
the diff is noise in the potentially big update log. the point of doing it manually is forcing you to take your time and verify stuff one by one. also pkgbuild is just one place, seeing the hash changed means nothing if you don’t check what that archive contains, or seeing the install steps don’t change mean very little when the installer invokes other scripts anyway
i understand that you aren’t going to vet the source itself, but at that point you are exposing yourself to this kind of malware without mitigation. the aur is unsafe by design (fast way to publish a package without any involvement from anyone else) and should be avoided whenever possible. im not an arch hater, i too run arch
I guess it depends on your discipline. If I’m already so inclined that I’d go to the lengths of forcing myself to check each package “manually”, I’m also going to be so disciplined to check each diff when paru pauses the upgrade process for me to do so. It’s the same thing for me.
Yup, and as I said, that’s where I draw the line with my trust and my threat level. I don’t have a lot of important data.
Yup, I’m aware of the risks I’m taking. 🙂 That’s the important part to me. I really don’t have time to vet sources with two small kids and a full-time job, and hobbies and exercise every week. It’s impossible, and a sacrifice I’m willing and forced to make if I want some life balance. Quite a simple choice.
Installing a hook-package for checking as soon as it’s in the AUR.