Arch’s AUR—one of the distro’s biggest selling points—has been through quite a rough patch lately. First came several back-to-back attempts to slip malicious software into the repository, which understandably set off alarm bells in the community.
And now, over the past few days, many users say they’ve been running into problems accessing the service almost daily.
A quick check here confirms it — since August 12, the AUR has been having daily access issues, and today, August 16, seems to be the worst so far. Right now, as I’m writing this, trying to access the AUR just ends up timing out.
A quick look through a few different sources sheds some light on what’s going on. In a Reddit post, one of Arch’s package maintainers explained:
Yes, we are suffering from some services outages (including the AUR) due to a DDOS attack. This is being investigated & worked on.
Another message on the Arch mailing list backs up what’s already been said:
Arch sites are currently experiencing a DoS. Work is underway to make them available again. AUR should be mostly fine now — in particular access over IPv6 is reported to be in perfect shape. Access to other services may be spotty.
It’s obvious this is a targeted attack on the AUR. Whether it’s a DoS (Denial of Service—coming from a single source) or a DDoS (Distributed Denial of Service—coming from multiple sources) isn’t exactly clear, but that’s not really the main point. Uptima’s stats show that over the past two days, not only the AUR but the distribution’s main website itself has also been hit.
So far, the distribution hasn’t released an official statement about the incident. However, from the messages, it’s clear that Arch maintainers are working hard to sort out the details of these attacks and reduce their impact, keeping the service available for users.
In closing, I have to say—naive as it might sound—that from an ethical standpoint, attacks like this on open-source projects are downright despicable. I’m confident the Arch team will handle this unpleasant situation quickly and will do everything they can to minimize the impact of such actions in the future (as far as possible, of course).
Issues are still going at the time of writing this, this is a massive scale attack not easily attainable by amateurs, I’m sure there is a very bad actor at play (M.$..T)
a botnet attack from compromised devices? I do not use arch and doubt I would ever feel safe using it if I used aur for software since I see no reason nowadays for not using official sources for software.
I don’t think there’s enough devices compromised to do an attack of this scale. Malicious packages were spotted quickly, and I’m sure they were reviewing all of them after this.
This is a job of a bad actor, since Dave2D’s video, attacks against Linux increased a lot, clearly, someone or some corp didn’t like what he shown.
There are plenty useful packages in the aur that you wont find in any distro, at least not the newest version (hyprland, AGS, waybar for example)
I suppose (hasn’t used Arch too much, yet) it is used as an official source as well, for example:
https://librewolf.net/installation/arch/
So probably use of official references within should be fine, just searching in “public” repository for something can be not the best idea, or should be done very cautiously…
makes sense but I would probably still just grab it from flathub since that is one of there offical sources since I would probably just avoid aur but that is just my personal opinion.
Interestingly the same LibreWolf says about that:
— BEGIN —
Flatpak apps run sandboxed from the system via bubblewrap, which adds a layer of protection. But this prevents the browser from using its usual sandbox for process isolation.
Processes are still isolated through nested seccomp filters.
Flatpak supports process isolation via flatpak-spawn, which zypak and the unofficial Chromium Flatpak use. This would cause a big increase in memory use in Firefox/Librewolf though, so it is not a viable solution.
— END —
I for some time also used Ungoogled Chromium as a flatpack and it was very unusual experience so personally still prefer normal apps in general, if there is no direct intention to sandbox something (I don’t remember if it used more memory than just not sand boxed Chromium, I remember that both used more than enough)
I hear you and do not disagree with anything you are saying. I have never really has issues with anything using to much memory on my mini pc which currently has 16gb of ram and i have never really noticed any slowdowns either I have 1tb nvme with a cheap intel n100 and I dunno why it runs so good I’m guessing my nvme is fast enough to not create a bottleneck. I run everything as flatpak or snap without issues on it. I do have a older laptop i never use that would probably like non flatpak options better since it seems slower then my mini and larger desktop but i’m guessing getting rid of its mechanical hard drive could speed it up but I doubt I ever spend the money on it. My mini currently has ubuntu and my browsers are currently brave and firefox both are snaps I have used librewolf flatpak in past but do not have it loaded currently. I’ve tried arch and other distros over the years. I currently have fedora on my larger desktop pc. I doubt I change anything on the cheap mini which I use on a large flatscreen. I even have the mini running the plex server snap and a mix of other things installed as flatpaks and snaps. The mini always seems fast with what I use it for the cpu never seems like it struggles. My mini is a fanless n100 that I added a usb fan that just sits on top and is basically the same dimensions. The mini I have had for over a year now running basically 24/7 without issues so far and I did use it without a fan for a while. I may get another for another tv and they have newer n cpu options available now.