Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Packages
Points and comments are a snapshot, not live.
Article body wasn't reachable. The HN discussion summary is below.
Points and comments are a snapshot, not live.
Article body wasn't reachable. The HN discussion summary is below.
What commenters are saying
The thread splits between accepting AUR's inherent risks versus calling for better safeguards. Top-ranked comments note AUR is explicitly a free-for-all requiring manual review before install, unlike official repositories which are vetted. One commenter argues the "just review everything" stance is outdated given supply-chain attacks and suggests peer review or grace periods before publishing. Critics counter that such measures would defeat AUR's purpose, which already exists alongside official repos for users wanting stability. A lower-ranked commenter points out the practical difficulty: users would need to understand Arch's build system, the upstream package, and all dependencies to safely spot attacks like adding unrelated npm packages to unrelated software. Tools like `rua` can display diffs on upgrades, making changes visible. The thread reflects frustration that inexperienced users are running AUR-based distributions without the knowledge to safely verify packages.
Several commenters note legitimate packages do use npm, making detection harder. One suggests LLMs could help analyze packages but notes attackers could adapt. The dominant practical advice: only use AUR for packages with simple build scripts that mostly just download tagged releases, avoid helpers that bypass review, and use official repos for anything important.