A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
Can’t load the article but I assume Arch’s rolling release way of doing updates makes this quite the disaster.
Forenote: image text unrelated, but somewhat relevant.
Me, not updating my system in many months due to a box of various issues:
~7Mbps shared internet, Arch expecting regular updates (and me not setting up the timer stuff to prevent those issues), and most recently before this my 1050Ti becoming legacy and Arch moving the legacy driver onto the AUR (I updated stuff from the AUR even less, so this is a blocker for me).
I probably need a new distro at this point, but not convinced by any. In any case an AMD GPU would also help, but also probably not happening on my terms either.
yay (-Syu)
It makes a big headline and a small impact. It’s not official arch packages that were compromised.
Eh, depends really. The AUR is not the default place to install software from, it’s all user created and comes with warnings almost anywhere you have access to it. I’ve generally used Octopi to install packages and you have to jump through some hoops to even have it show you packages from the AUR. Generally, running updates for the system, from the Arch flavors I’ve used anyway, by default doesn’t update packages installed from the AUR and you generally update them deliberately and separately. As an example, on my Garuda systems I only have 3 packages installed from AUR and they are so rarely used I forget about them a lot… I’m a bad sysadmin for myself and they don’t get updated nearly as often as the main system packages.
But, do other people use their system differently? Absolutely. They have likely ignored several warnings (or read them and accepted the risks) to get there though.