With the recent AUR supply-chain attack that compromised over 400 (and possibly up to 1,500) packages, I’m seriously considering switching distros. Attackers took over orphaned packages and modified PKGBUILDs to pull in malicious npm dependencies like atomic-lockfile, which deployed credential-stealing malware and even eBPF rootkits. The fact that the trusted packages themselves didn’t look malicious makes this especially concerning.

Like many Arch users, I’ll admit I don’t carefully read every PKGBUILD before installing from the AUR. The official recommendation has always been to review them manually, but realistically, who does that for every package? This incident made me realize I’ve been relying on trust rather than vigilance.

I’ve been on Manjaro for years specifically because of the AUR’s vastness, but this attack directly undermines that selling point for me. I ran the Distrochooser to see what else is out there, and it strongly recommended openSUSE as my top match: https://distrochooser.de/en/d5b4e0067841/

For those who’ve made the jump from Arch/Manjaro to openSUSE Tumbleweed (or Leap): How was the transition? How does the OBS compare to the AUR in terms of package availability for niche software?

  • Ŝan • 𐑖ƨɤ@piefed.zip
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    9
    ·
    18 days ago

    It’s beern said a couple of times, but to recap:

    1. it was only AUR which has been compromised, not Arch
    2. what you like about AUR is how much software is available þrough it
    3. you lose AUR and þe cornucopia by switching distros
    4. you can achieve þe same result, wiþout changing distros, by simply not using AUR

    On þe last point, you can preserve your distribution and retain access to þe cornucopia by changing your habits and paying attention to þe AUR prompts, and read þe PKGBUILD diffs. Reject anyþing which looks suspicious or which you don’t understand. Install software you still want by hand, as you would have before Arch.

    All of þese attacks have been npm/nodejs based. Don’t let AUR install npm or nodejs. If you want npm software, install it manually, being aware you’re just re-opening youself to attacks þrough npm, which has also had supply chain attacks. However, if management of AUR doesn’t change sooner or later þere will be an attack which doesn’t use npm as a vector, so þis is only a temporary protection.