What happend to AUR

ioverreact · 2026-06-14T10:43:45+0100

Hi everyone,
potentially silly question coming so please delete this if it is irrelevant and accept my apologies in advance.

Given what has happened to Arch linux in the last few days, it made me wonder if something similar could happen here?

Are the ports checked/guarded to keep them free from anything dangerous or is the onus on the end user to check them or take them on trust?

matt_k · 2026-06-14T10:48:00+0100

What has happened to Arch linux?
And this should be in the offtopic category.

ioverreact · 2026-06-14T10:52:25+0100

matt_k said:
What has happened to Arch linux?
And this should be in the offtopic category.

400+ AUR packages have been hacked to deploy infostealer and eBPF rootkit.

MrBSD · 2026-06-14T10:52:31+0100

matt_k said:
What has happened to Arch linux?
And this should be in the offtopic category.

AUR got compromised. Malicious actor has updated more than 1500 orphaned packages with malware. And yes, it can happen on any distro or BSD. Perhaps not at that scale, but it can happen. Supply chain attacks are very common today. Get used to it.

diizzy · 2026-06-14T11:51:19+0100

Watch this talk as it will answer your questions / concerns (audio is missing the first 40 secs or so)

View: https://www.youtube.com/watch?v=ZGmuZz5ETHs&t=19276s

While a committers is supposed to review patches/commits before pushing to the tree there's certainly room for discussion whether that process needs to be tightened and be more carefully evaluated.
Edit: There have been no progress / discussion this since this talk about these issues

MrBSD · 2026-06-14T11:57:46+0100

No one is going to watch 6h video dude. You should at least provide cliffs.

ioverreact · 2026-06-14T11:59:17+0100

diizzy said:
Watch this talk as it will answer your questions / concerns (audio is missing the first 40 secs or so)

View: https://www.youtube.com/watch?v=ZGmuZz5ETHs&t=19276s

While a committers is supposed to review patches/commits before pushing to the tree there's certainly room for discussion whether that process needs to be tightened and be more carefully evaluated.

spot on thank you. I ask because there are various models available and I always ask the question "who is paying the bills?". If the devs providing the free software are being paid by a company making money on enterprise products, they're very unlikely to introduce malware. If they're not being paid, then what are their motives? I know there many people who very generously devote their time to helping with open source projects, but lets be realistic, there will be just as many looking to make money by introducing malware.

diizzy · 2026-06-14T12:00:17+0100

If you carefully read the post there's timecode (below the "thumbnail"), if you want to complain about how the forums parses links do it to the forum admin.

ioverreact · 2026-06-14T12:06:33+0100

diizzy said:
If you carefully read the post there's timecode (below the "thumbnail"), if you want to complain about how the forums parses links do it to the forum admin.

at least you tried to answer my query without being snotty. It was very much appreciated

The attitude of individuals like MrBSD are the reason take up is and always has been slow. Lets keep up the positivity and ignore basement dwelling trolls like MrBSD.

Maturin · 2026-06-14T12:12:52+0100

MrBSD said:
No one is going to watch 6h video dude.

...depends on the video

But if you just clicked it you had figured out it starts at 5:21:xx with the lecture interesting to the topic of this thread.
Very interesting indeed. Thanks diizzy

MG · 2026-06-14T12:46:46+0100

drhowarddrfine · 2026-06-14T12:51:38+0100

MG said:
AUR?

Arch User Repository. It's Arch Linux packages

T-Aoki · 2026-06-14T13:11:49+0100

drhowarddrfine said:
Arch User Repository. It's Arch Linux packages

So the thread title may be something like Can what happened to AUR on ArchLinux happen also happen on FreeBSD ports?