I personally stay away from huge PKGBUILDs and most changes are just the version number and SHA, if it’s more, it’s weird.
It’s just luck, that nothing was affected this time. Until there are some automated checks on updates from the AUR, you can’t say you are safer using packages from the repo, than directly from the AUR. At most it’s just misleading for some users.
Do you really check every update? How do you even know what was changed if you don’t look at the commits? How do you know which packages on your system are being built from the AUR pkgbuilds? Do you always choose the AUR source if it’s also available from the repo?
I do check every update. It’s not that often that any of those 15 packages gets updated.
However I only check the pkgbuild, as I’m checking for bad behaviour stemming from the AUR, not from the developers of the software. Not every AUR pkg builds from source, some just install an appimage and modify some variables. I avoid AUR when possible.
Idk if packages from the Cachy repo, which are pre-compiled from AUR, get any extra check on each update. That’d be interesting to know for sure. Maybe a maintainer could answer?
Well kudos for you, but changes can be really subtle, like a few letters in the domain of the source, unless you look at each commit since the last update or compare with the previous PKGBUILD, you have to be a robot to be sure that everything is as it should be.
Sadly I can’t really go under 30 on my AUR usage and I use packages that are updated almost weekly. I just don’t install anything from the cachy repo that’s supposedly is based on the AUR, at least this way I have a clearer picture about my system.
It’s not just luck. Look at the list of affected packages. Actually, look at this thread. Has anyone said that they had one of these packages installed and are looking for help with a remedy?
No. Because the entire list is full of ticky tack garbage. Most of those “packages” aren’t even real. They’re phishing attempts to try and get people to download them instead of the real thing. Right there is a mistake that the packages in the cachyos repository would be totally immune to because the maintainers of the repo aren’t negligent idiots.
That leaves the few AUR packages that had to be abandoned by their maintainers in order to be claimed and tampered with. Which is something that simply doesn’t happen with the kind of packages that CachyOS carries in its repo. It happens with junkware(which the AUR is definitely full of) and is stuff you would hope individual users would have migrated away from long before the trouble could’ve started.
On the other hand, “I don’t really understand this so I don’t trust myself to take this action” is also a good instinct to have. 
I did look at the list, most of them are not even new or garbage. I checked like 10 randomly and all of them were real and a few years old, only thing common in them as far as I can tell, they weren’t maintained well on the AUR, maybe orphaned.
For example a few months back I did install this which is a good program for gnome dev, but I had to use the flatpak because the AUR version didn’t work AUR (en) - workbench
Yeah it’s luck because it happened to a lot of packages and was caught relatively fast, but it could have happened to any package in the cachy repo, because I don’t think they even check new maintainers. If the people who did this would have targeted only a few packages they might have gotten away with with for longer.
And btw the list is still not complete, check the mailing list thread, they’re still finding packages, so who knows what will come up. Right now they’re finding packages the use bun instead of npm, so who knows how big will be the final list.
And all of this is beside my point, if there are no checks on PKGBUILD updates and changes to the way the AUR operates, this can happen anytime to any package. You guys talk about cachy maintainers as some infallible gods who don’t make mistakes. Just because they vetted a package when they added it (who knows how), it doesn’t mean that in the future it won’t be abandoned or compromised.
I really want to know if there’s any verification process for the included AUR packages. Especially for the updates.
It is, though I’d say this is as good a time as any to get some learnin’ going on so that it’s easier to trust either one’s self or a the ability to identify the contents of a simple script.
But if someone does admit ignorance and the inability to immediately solve it, as we must do from time to time, then declining to run a script found on some forum is completely understandable. That’s actually why I posted above about the pacman -Qm command to check your foreign packages, so if people wished they could check the list manually.
how do you check if a repo package is based on a PKGBUILD from the AUR?
I’ve already gone over this elsewhere in the thread. I apologize if my take of the matter is unsatisfactory to you. However, what I’ve said remains unchanged so I feel no need to rehash.
this doesn’t include repo packages that were built from PKGBUILDS from the AUR
I just checked, I have installed zen-browser-bin from the cachyos repo, I’m pretty sure this package was built from the AUR PKGBUILD and it doesn’t show up with pacman -Qm
Good thing AUR helpers help you out by presenting a diff that should almost always be like a checksum and version bump and no more.
I really wish I’d been wrong about traur and these sorts of vibecoded projects in general (somewhat ephemeral and hard to trust - although also at some point a simple project is done) but also at least in theory traur does check for this type of attack.
I use it and never saw a notification for new dependency, and if that dependency is already on my system, like npm, which is harmless in itself, I won’t even know that there’s a new dependency. Traur also tells something about the maintainer history, but I never saw a separate notification for new maintainers. I have been using traur since it came out, because it’s otherwise harmless.
I need to start using the diffmenu in yay, I just found out about it.
More and more compromised packages keep showing up. You’d think these dummies put a freeze on new uploads on AUR for now until they got their shit figured out.
this is a terrible response so far from whoever runs AUR but considering how they’ve dealt with DDoS in the past this shouldn’t be surprising.
Of course it doesn’t. You installed it from a native repository (cachyos). pacman -Qm checks foreign sources only. That CachyOS pulled that package into its own repository would have no bearing.
If you wanted to check if a package originated in the AUR but now exists as native, then:
- The package would have to be in the
cachyosrepository, as they wouldn’t be in any of the others due to none of them being architecture specific and obviously not being Arch native packages either. - Then you can see their page on the repo web list, like this one for
zen-browser-bin. The link for “View Source Files” will point to the AUR package it originated from, if it did in fact come from there.
There is supposedly orphan takeover protection which if it doesn’t trip on this what good is it.
Also I think npm wasn’t added as a dependency afaik it was just dropped into a post-install script.
this is the first linked commit in the mailing list thread, and they have added npm as a dependency https://aur.archlinux.org/cgit/aur.git/commit/?h=runescape-launcher&id=cf0b627a6c36be967411063e2e2629f80bb6d51f
There are so many packages, I imagine not all were compromised the same way. I don’t understand how did they compromise this many. I maintain 2 packages, luckily I don’t see anything there, at least with git.
I have a general question. Still new and learning Linux. I don’t believe I’ve done anything to enable the AUR repository. Most of the time when I do a fresh install of CachyOS, the only things I need to install are Discord, and Heroic. I install these through the CachyOS Package Manager. I did install Shelly, but honestly never use it since I don’t need to install much more than what is included in the CachyOS install and the gaming packages I install using the CachyHello button.
Does someone like me need to be worried about this? I update my system with either the button in CachyHello or the CachyOS Update applet.
I ran that script mentioned in the thread and it said none of the infected packages were found.