The malicious packages were found and removed quite quickly. Also anyone who doesn’t blindly install from the AUR would have seen a suspicious .lol url. I suppose that a genuine package using a .lol url isn’t impossible, it’s just very unlikely,
These attacks do demonstrate the strength and weakness of the AUR, that anyone can upload anything at any time. The same as flathub and the snap store. Treat all of them with appropriate caution.
That sounds like a nice feature we could use for the Aur actually. We already have the votes value, but some sort of verification body could help rescue the Aur’s reputation.
The malicious packages were found and removed quite quickly. Also anyone who doesn’t blindly install from the AUR would have seen a suspicious .lol url. I suppose that a genuine package using a .lol url isn’t impossible, it’s just very unlikely,
These attacks do demonstrate the strength and weakness of the AUR, that anyone can upload anything at any time. The same as flathub and the snap store. Treat all of them with appropriate caution.
Flatpak does have a concept of Verified Publisher. Many distros ship flatpak app store with default filter set to Verified Publisher only.
That sounds like a nice feature we could use for the Aur actually. We already have the
votesvalue, but some sort of verification body could help rescue the Aur’s reputation.Also, if your distro doesn’t do this, you can do it yourself. You can modify, for instance, KDE Discover’s flathub repo to use the verified subset.