71
Malicious AUR Checkup Script. (Not a silver bullet, but it helps) (discuss.cachyos.org)
submitted 1 day ago* (last edited 1 day ago) by ekZepp@lemmy.world to c/linux@lemmy.world
15 comments fedilink hide all child comments

All credit to Cscs https://discuss.cachyos.org/u/cscs/summary

you are viewing a single comment's thread
view the rest of the comments
[-] Prove_your_argument@piefed.social 2 points 1 day ago* (last edited 1 day ago)

Ah yes, run this random shell script hosted on the internet.

And I got downvoted for suggesting that they use an ML tool like crowdstrike to scan submissions for weird things.... and for some reason people pointed out that they caused one incident of linux crashes and one incident of windows crashes last year. What if I told you that you could run a scan like that on a VM with the storage, web hosting and everything else entirely separate from said scanning VM... but no, random shell scripts into terminal GO!

Just seeing the results of a sandbox detonation should give you some level of an idea that something is bad or not bad. This kind of tooling isn't exclusive to any one entity and the results should be part of any repo for anyone to review and flag if you really want to avoid ML as a layer of defense.

[-] LostWanderer@fedia.io 1 points 20 hours ago

Nah, nobody is recommending that you just rawdog this freaking script in a terminal, as it is only useful if you make use of the AUR! The golden rule is to evaluate every script that you see, decide if it is a good or bad, personally having read it there aren't any malicious instructions present in it. ML tools aren't particularly reliable, can be tricked, deliver false negative or false positive results, and will just dull your mind.

If one cannot read, evaluate, and come to a decision based on the information available...Arch simply isn't a good fit for the person in question. That is okay, and there are plenty of options.

Granted the AUR shouldn't be as easy to exploit as it was in this instance, it's a bit too wild west for my liking. There needs to be better protections that prevent such exploitation in the future, as there are clear exploitable weaknesses present with the AUR which need to be closed to prevent something low effort from happening again. The axiomatic truth of the AUR remains true: Do not trust, verify any PKGbuilds before installing software and before every single update.

[-] Undaunted@feddit.org 1 points 23 hours ago

Reading through the shell script and understanding what it does before you run it should be a given. You don't need to trust any closed source tool or whatever. Read it, before you execute it. If you are unable to do that, Arch is probably not the right distro for you anyway and in that case, good luck.

this post was submitted on 17 Jun 2026
71 points (96.1% liked)

Linux

17847 readers
159 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 3 years ago
MODERATORS
MigratingtoLemmy@lemmy.world