🍉Arch users: How are you mitigating the AUR malware attack?
@avesbury_rosetta I just read through the build scripts like you're supposed to and also mostly just don't use the AUR
@avesbury_rosetta like for years the Arch wiki has been perfectly clear that the trust model of the AUR is "someone could just upload a malicious package, you absolutely have to read through it first before you build and install it"
@stellarskylark @avesbury_rosetta yeah but most people don't know how to read bash scripts, and sometimes a piece of software just isn't packaged literally anywhere else, like on Linux in general :(
@hazelnot @avesbury_rosetta pkgbuild scripts aren't usually that complicated, it's usually "fetch the source, run make, and install these files" and so it's relatively easy to see if it's doing something suspicious like fetching the wrong source or installing unusual files
like yeah I get it, it's not as user-friendly as other stuff, building packages is complicated. but it's not like this wasn't explicitly a possibility Arch users were warned to watch out for
@stellarskylark @avesbury_rosetta yeah but until now it was theoretical, if I'd known it would get this bad I would've never even touched the AUR
But then that means using shit like AppImages which, ew, fashy bullshit
@hazelnot @avesbury_rosetta of course there are other models of user repositories that might have been able to prevent this to some degree but there are tradeoffs to the additional maintenance that requires and the amount of work it demands from people who are essentially volunteers
@stellarskylark @avesbury_rosetta mnyeah this kinda thing makes me feel like maybe FOSS is just a dead end. Because under capitalism it's always going to just be a tiny minority of nerds who care enough about the ethics of this shit while everyone else is gonna stick to Windows and have their data harvested until fascism fully takes over and then it's basically just over, in general 🤷♀️
@hazelnot @avesbury_rosetta ...I really don't think that's the conclusion to draw from this tbh
like look somebody's responsible for the security of your system, either it's you or it's somebody you trust. Arch was very clear that with the AUR it's you.
Having it be somebody else isn't impossible (GURU on Gentoo has layers of trusted write access that helps prevent this kind of thing, and plenty of NixOS packages are maintained or contributed by people who don't actually have write access to nixpkgs), it just has tradeoffs. Like nixpkgs can take forever to merge updates because everything has to be verified by one of the trusted few.
The problem is that people were trying to have both by treating the AUR like nixpkgs when it was very explicitly was not that, because it was more convenient that way, and not taking the security implications of that decision seriously. The fact that happened doesn't mean FOSS is doomed or anything that's kind of a leap
@stellarskylark @avesbury_rosetta oh I was talking about the "the amount of work it demands from people who are essentially volunteers" stuff. Everyone is so tired and overworked and burnt out that I'm not really sure this is sustainable while capitalism still exists
@hazelnot @avesbury_rosetta no I know that was my point, there are distros out there doing exactly that, right now. The tradeoff is just that it takes longer to get packages added. Like...there are people who are willing to do that work! But you do have to be aware that's a cost