First of all, this is incorrect, the checking would have to happen _before_ even building the package since malware is already being executed at that point.
But more importantly this is a terrible idea in regards to privacy/infosec. I do not want packages I build and install myself to be uploaded to a 3rd party website.
And for what benefit? 99% of new malware won't be detected anyway, and once it is known it is way more effective to just remove the offending package from the AUR.
To ensure reproducible / clean builds, I thought makepkg would always be run in a sandbox/chroot environment. The damage done would be localised to that sandbox.
> this is a terrible idea in regards to privacy/infosec.
Ok. Devs could setup an option to pacman -U which allows it to bypass VT for privacy sensitive people. This just puts the onus on you to not ensure you aren't installing malware. The default Arch user should still be protected while allowing for your privacy needs.
> 99% of new malware won't be detected anyway, and once it is known it is way more effective to just remove the offending package from the AUR
No, makepkg doesn’t run in a sandbox. The system tries to stop you from running it as root, but otherwise all validation of the trustworthiness of the pkgbuild and any sandboxing of the build process are left up to the user. This is part of why pacman, the 1st party package manager, does not fetch from the AUR.
Likewise, it would be generally against the Arch ethos to have the default behavior of the package manager interact with a 3rd party service. If a user wants that action, they’d need to perform it themselves.
> To ensure reproducible / clean builds, I thought makepkg would always be run in a sandbox/chroot environment. The damage done would be localised to that sandbox.
makepkg runs in a fakeroot environment, but this is not a security barrier. There is also support for building inside systemd containers, offering at least limited security, but most AUR helpers don't use that yet.
> Ok. Devs could setup an option to pacman -U which allows it to bypass VT for privacy sensitive people. This just puts the onus on you to not ensure you aren't installing malware. The default Arch user should still be protected while allowing for your privacy needs.
You mistake the target group of Arch Linux. Users are expected to read the documentation and to know what they're doing. Protecting users from themselves at the expense of those who know what they're doing is not what Arch is about.
> Its too late then. People are already affected.
That doesn't make sense, it's too late for people if new malware isn't detected by VirusTotal as well.
> Devs could setup an option to pacman -U which allows it to bypass VT
Goes against the very nature of the distro. I very rarely see assumed defaults in Arch, and they are almost always opt-in. Mind you, you need community provided helpers to automate AUR building, its that barebones and I'm sure there are people who manually build / use custom scripts to build every package.
Is this accurate? My understanding is that the AUR does not host binary packages. It hosts pkgbuild files, which contain config and scripts that a user has to build on their own machine in order to install. The malicious code here is fetched as part of those scripts.
Pacman cannot be used to download, compile, or install AUR packages. You need the PKGBUILD file and use "makepkg -si" at the very least. If you want AUR packages, you'd install a package manager (in this context referred to as AUR helper) like "yay" that supports both official and unofficial (i.e. AUR) packages. FWIW AUR helpers are not even official packages, not even "yay" which is a popular one. You need to go out of your way to install "yay" (although it is one command away before, i.e. very easy).
TL;DR: Pacman does not download, compile, or install packages from the AUR, nor does it resolve their dependencies. "makepkg -si" builds and installs a package based on the PKGBUILD file, or use an AUR helper that overcomes the limitations of "makepkg". AUR helpers make it easy to install AUR (i.e. unofficial) packages.
And even with 3rd party package managers like yay, the package manager is pulling the pkgbuild definition locally, running makepkg for you, and then installing that.
And yay warns you before anything happens and prompts you to review the PKGBUILD files and any patches for this very reason. So there are at least two "are you sure?" confirmations needed before even building anything.
This is a situation where you have to go out of your way and be naive to be affected. You simply can't protect the user from everything.
> Arch developers can code "pacman -U" such that it performs a VirusTotal scan before installation for each package.
AFAIK, VirusTotal only flags known malware/viruses, any new/"looks-to-be-new" stuff wouldn't be flagged until they've picked it up, and once someone would have picked it up, it should be removed from the AUR anyways. So you'd have at least one user (most likely more) getting infected first, and once detected more users wouldn't be able to install it regardless.
> So you'd have at least one user (most likely more) getting infected first, and once detected more users wouldn't be able to install it regardless.
This is where your and my intentions differ. I don't want the average Arch user to be infected when it can be prevented because the malware is known about.
Just create a pacman hook before install that uploads the package there and aborts installation if necessary. Probably skipping repo packages is a good idea otherwise you're gonna spam the API each update.
Which was/is the best Raspberry Pi Audio/Video Recording, OSD Motion Detect Program. It was made to run perfectly on a RPI Zero with its limited CPU and memory.
I considered getting a ReMarkable a couple of years ago. My primary needs were note taking and PDF reading for studies. The ReMarkable's low powered hardware and limited app ecosystem put me off. Also, I didn't want multiple devices i.e. a tablet and a seperate note taking device.
So, I settled on getting a Samsung Tablet with a S-Pen and using the "Flexcil Notes & PDF Reader" app. The tablet was not cheaper than ReMarkable but I had access to all the apps in the Android ecosystem. The note taking app was not free and its premium features make it cost between £4.59 - £10.49 if billed through Google Play store. The app was well worth it and you can search for reviews of it on Youtube.
If you are planning on getting a ReMarkable for studying, I'd suggest to instead consider using an iPad or Android tablet with pen support instead.
Adding to this, another great option is getting a Wacom One for your laptop. They're available for 30$ and you can use desktop note taking apps like OneNote or Xournal++ if you're more comfortable with them + you have the multitasking features of a laptop OS.
I am looking forward to trying this. Currently use KDE(Wayland) and was looking to move to Wayfire as I really don't need all the things being offered in KDE and Wayfire satisfied all my needs from a WM/Compositor.
The contents of the page when translated seems to be about jiat0218 auctioning a pair of spiritual chopsticks as a prank.
The blog entry is basically a QA between jiat0218 and various other people about these chopsticks.
If Jia Tan does turn out to be a compromised maintainer working for a state actor then some of the content on the blog page can be viewed in a more sinister way (i.e. spycraft / hacks for sale etc.).
Example question 38:
Question 38
accounta066 (3): Are these chopsticks really that good? I kind of want to buy
them! But I recently sent money for online shopping but didn’t receive anything.
It’s very risky; currently jiat0218 you don’t have any reviews, you can
interview me. Do you want to hand it over?! … A sincere buyer will keep it.
Reply to
jiat0218 (4): First of all, I would like to express my condolences to you for
your unfortunate experience! What can I say about this kind of thing...My little
sister has always been trustworthy. What’s more, this is a pair of spiritual
chopsticks, so I hope to have a good one. It’s the beginning! As you can see,
my little sister is very careful and takes her time when answering your
questions. Except for the two messages that were accidentally deleted by her,
she always answers your questions. If this still doesn’t reassure you, then I
can only say that I still have room to work hard. You are still welcome
to bid... ^_^
Note however, it could all just be what it purports to be which is a prank auction of spiritual chopsticks.
This is likely just a coincidence. 0218 looks like a birthday and jiat is probably the name + initial. 18 years is also too long of a time horizon for this.
Crazy to think that the time horizon for these kinds of attacks span decades. This absolutely does not read like a coincidence. Chopsticks, little sister, "room to work hard", all sound like codewords.
I just finished reading the comment thread for the "Snowden leak: Cavium networking hardware may contain NSA backdoor" news item and so security and privacy issues were at the forefront of my mind.
So, when I read your comment about "That is one of the many reasons why (we) use ThinkPads." I think people need to be reminded about Lenovo's (POST IBM SALE) controversies.
No, there wasn't a point. Making these accusations is the personal attack and it's a non-falsifiable claim anyway. Once you go that route you're on a complete descent into nonsense conspiracy theories.
They have to be installed via "pacman -U package_file"
Arch developers can code "pacman -U" such that it performs a VirusTotal scan before installation for each package.
VirusTotal's API is free.
- https://docs.virustotal.com/docs/api-scripts-and-client-libr... - https://docs.virustotal.com/docs/please-give-me-an-api-key - https://docs.virustotal.com/docs/consumption-quotas-handled
Since it is end users who are doing the upload and virus scan check, there won't be a consumption quota issue with VirusToal.
Lastly, "pacman -U" should flag failed VirusTotal scans to Arch Security.
Arch's pacman and Flathub's flatpak package managers should be the last line of defence when installing untrusted packages by end users.