With the recent AUR supply-chain attack that compromised over 400 (and possibly up to 1,500) packages, I’m seriously considering switching distros. Attackers took over orphaned packages and modified PKGBUILDs to pull in malicious npm dependencies like atomic-lockfile, which deployed credential-stealing malware and even eBPF rootkits. The fact that the trusted packages themselves didn’t look malicious makes this especially concerning.
Like many Arch users, I’ll admit I don’t carefully read every PKGBUILD before installing from the AUR. The official recommendation has always been to review them manually, but realistically, who does that for every package? This incident made me realize I’ve been relying on trust rather than vigilance.
I’ve been on Manjaro for years specifically because of the AUR’s vastness, but this attack directly undermines that selling point for me. I ran the Distrochooser to see what else is out there, and it strongly recommended openSUSE as my top match: https://distrochooser.de/en/d5b4e0067841/
For those who’ve made the jump from Arch/Manjaro to openSUSE Tumbleweed (or Leap): How was the transition? How does the OBS compare to the AUR in terms of package availability for niche software?
You can mitigate the aur issue and retain everything else offered by not using aur. You will have the most arch like system compared to all other distros, without the risk of aur. Those packages in aur are mostly not included in other distros, so you won’t lose anything.
Personally, I left arch nearly a year ago due to it being too popular making it a target for malicious activity, it only offered bloated and over weight systemd, and after running arch for nearly 20 years, I just got bored and wanted something new, so I moved to void Linux. Very happy with my choice. Boot time is 3 seconds, shutdown is 5 seconds. runit is a nice light and simple init system. It’s rolling release but not bleeding edge, so updates never break anything.
Just drop the AUR and swap those packages to flatpak/appimage.
I don’t think jumping distro will solve your problem, any distro where you will without thinking install unofficial repo packages with have the same problem as AUR, switching to random peoples script in OBS, COPR and so on isn’t solution imho.
Agreed, I feel like people are lacking a bit of self reflection in regards to this issue. The reason why people use the AUR is because it gives access to software outside of the official repos. No distro packages every piece of software out there. Therefore there is always a need for third party repos and that is why every distro has its own AUR equivalent. Thus leading to the same problem. Blindly installing software will never be a safe thing to do.
also, if anything installing stuff from the AUR makes things slightly safer because PKGBUILDs and .install files are a lot easier to inspect: you can check the source repo/tarball/whatever points to an official source, and you can verify that the scripts (which are just shell scripts) are not doing anything nefarious.
on the other hand, IIRC OBS and COPR just distribute binaries that are very hard to inspect
EDIT: just don’t use an AUR helper and you avoid most of the trouble
I tried OpenSUSE, none of the software I wanted to install worked. It’s just too unpopular.
Fedora with RPM Fusion is probably a better bet.
with RPM Fusion
The community-led Terra repository is also worth mentioning in this context.
I wonder if openSUSE has any third party repositories worth mentioning.
You could just not use AUR?
i’m sorry but the ‘compromised aur package’ controversy may be bad BUT the compromised packages were malware anyway. you just need to check what you install on your system. these malware packages are stuff like “adnauseam-firefox-git” (why on earth would you download a firefox plugin via the aur) or had names like “python-cool-32-git”
the biggest security issue were the users themselves who didn’t check the packages
You should switch off from Manjaro because of their track record, not because of the AUR attack.
The official recommendation has always been to review them manually, but realistically, who does that for every package?
How many AUR packages do you install? It doesn’t take that long to review a PKGBUILD once, and then review only the changes every update.
Tumbleweed is an excellent distro, but if you randomly install from peoples home repositories, you could be in the same position as with the AUR.
Your results suggest that Fedora is an equally viable alternative.
Regardless, ask yourself the following question: Do you need the vastness that a repository like the AUR provides?
- Like, are you sure that the repositories of Fedora and openSUSE Tumbleweed don’t contain the packages that you need?
- Or…, is it more about liberation? Whatever the future might throw at you, you’re confident that the AUR will provide you. But…, that raises another question: are you even exotic in your software needs to begin with?
The above (sub)question(s) will (hopefully) help you to make an informed decision. Furthermore, please feel free to discuss them openly in hopes that others might chime in.
Anyhow, I foresee either one of the following:
- You actually acknowledge (or come to the revelation) that the repositories of Fedora and/or openSUSE (without going into user repositories[1]) are sufficient for you. Thus, becoming a viable destination.
- The previous option does not happen, simply because your software needs are not contained within their respective repositories. In that case, I’d seriously consider to adopt
nix(as a package manager on whatever distro you go for) or perhaps even NixOS if you want to go all-in. The excellentnixpkgsrepository is the only one that puts the AUR to shame. And -more importantly within our current discussion- it’s not a user repository, but instead the official one. And thus comes with all the security bells and whistles you’d expect.
To be clear, the user repository of Fedora and openSUSE don’t fare much better than the AUR. The only solace might be that Arch’s own repository is relatively small compared to theirs and thus there’s less need to search for user repositories. Hence, making it easier to manage what’s installed from user repositories. ↩︎
That’s not what a supply chain attack is. No part of Arch Linux or derivatives depend on AUR and you don’t have to use it.
The attack simply highlights oversights in adoption of orphaned packages and those need to be addressed for sure.
I have always tried to keep my AUR packages to a minimum (a few packages at most), and always read their PKGBUILDs and updates to them. Today, I don’t use any AUR package as all the ones I need are now packaged in official repos.
It’s fine. Personally I don’t like RPM much, but maybe it’s better outside of RHELL
This is not smart way if honestly arch repos have the biggest quantity of software comparing to most popular distors,problem here in aur itself, just don’t use aur? Or u have to validate each pkgbuild with each script going on there
Go Fedora, you won’t regret. It’s currently the most solid distro out there.
I personally go with QubesOS which uses VMs to compartmentalize. It doesn’t reduce the risk of a supply chain attack itself (fedora & debian by default), but if your VMs only contain the bare minimum for a given task the risk of having a compromised package installed is lower than in a full-featured system and any compromise is also contained to that VM.
It’s beern said a couple of times, but to recap:
- it was only AUR which has been compromised, not Arch
- what you like about AUR is how much software is available þrough it
- you lose AUR and þe cornucopia by switching distros
- you can achieve þe same result, wiþout changing distros, by simply not using AUR
On þe last point, you can preserve your distribution and retain access to þe cornucopia by changing your habits and paying attention to þe AUR prompts, and read þe
PKGBUILDdiffs. Reject anyþing which looks suspicious or which you don’t understand. Install software you still want by hand, as you would have before Arch.All of þese attacks have been npm/nodejs based. Don’t let AUR install npm or nodejs. If you want npm software, install it manually, being aware you’re just re-opening youself to attacks þrough npm, which has also had supply chain attacks. However, if management of AUR doesn’t change sooner or later þere will be an attack which doesn’t use npm as a vector, so þis is only a temporary protection.
