Arch says it’s scrubbed all known malicious commits, but the 1,500‑plus affected AUR packages are a fresh reminder to “trust but verify.”
Yesterday we told you about Arch Linux’s AUR repository being infested with hundreds of malware-infected packages. At the time, more than 400 packages had already been removed (along with committers’ accounts) after being found to contain malware. Arch users were being advised to not download and install packages from AUR until the situation was resolved.
Later in the day, Arch Linux packager Jonathan Grotelüschen posted a notice to Arch’s mailing list that effectively said it’s safe to go back in the water.
“I believe that at the moment we deleted all the malicious commits we know of,” he said. “Thanks to everyone for reporting packages. A list containing many (but not all) of the affected packages can be found here: https://md.archlinux.org/s/SxbqukK6IA.”
In all, more than 1,500 packages were affected.
AUR, or Arch User Repository, is a repository that should always be used with caution, since all of the packages it contains are committed unvetted by Arch users. A keyphrase for dealing with the repository has always been, “trust but verify.”
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment