infosec-handbook.eu is a user on mastodon.at. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

@rysiek @infosechandbook
Devs>it's untrusted!! use at your own risk!!
User>what could possibly go wrong...
*User pwned*

@Wolf480pl @infosechandbook @rysiek Frankly I don't think the devs get off by giving such a warning. People use Arch *for* AUR and everybody knows that. If everyone really did the due diligence they were expected to with AUR packages, Arch would have so few users nobody would take it seriously as a distro.

@freakazoid @rysiek @infosechandbook @Wolf480pl You can say the same thing about any distribution allowing users to install third party software. Or Windows. Or OS.

@brtln @Wolf480pl @infosechandbook @rysiek No, you can't. To say the same thing about them, they'd have to be making all that third party software available from their own web site. Or, in the case of easy-to-use AUR frontends like yaourt, through their own app store.

@freakazoid @rysiek @infosechandbook @Wolf480pl No AUR helper is accesible via official repositories, as opposed to dnf allowing to enable any COPR repository or Ubuntu with their PPA.

@brtln @Wolf480pl @infosechandbook @rysiek Yet you know a large fraction of users use them.

As I said, if you somehow managed to enforce the level of due diligence that you deceive yourself into thinking users will apply to AUR, you would not have enough users to be a viable distro.

@rysiek @infosechandbook @Wolf480pl @brtln You *cannot* provide something like AUR and disclaim any warranty for the software that goes into it.

@freakazoid @rysiek @infosechandbook @Wolf480pl You *cannot* provide something like COPR/OBS/PPA and disclaim any warranty for the software that goes iunto it. As I said, you can say the same thing about any Linux distribution that is not completely locked down.

@brtln @Wolf480pl @infosechandbook @rysiek I don't know about COPR or OBS, but with PPAs and any equivalent Debian-like thing, the distro provides decent tools, and you add (and therefore trust) one repo/publisher at a time. This is not true of AUR, where the level of inconvenience for providing each package means most users just use something like yaourt, which doesn't distinguish among publishers.

They are not the same and I'm really disappointed that you think they are.

@rysiek @infosechandbook @Wolf480pl @brtln In fact, you're pretty damn close to convincing me that I should be using a Debian-based distro instead of Arch.

@freakazoid @Wolf480pl @infosechandbook @rysiek In fact, feel free to boost the so-called news and switch distro. It's not like you and me are held hostage.

@brtln @rysiek @infosechandbook @Wolf480pl The real news is that Arch's developers neither understand infosec nor take it seriously.

@freakazoid @Wolf480pl @infosechandbook @rysiek Water is wet: someone on the Internet generalizes about group of different people.

@freakazoid @Wolf480pl @infosechandbook @rysiek Of course I've been blocked now, how I dared to have different opinion…

@freakazoid @rysiek @infosechandbook @Wolf480pl I'm more disappointed that you fail to see how it is the exact same thing, except in Arch you have actually a way to inspect what is going to build. Whatever you find decent about PPA, it is a service allowing to build any arbitrary code, distribute it, and Ubuntu provides an easy way (so much easier than in Arch) to install it. You are naive if you think that regular user sees a difference between publishers even if the warning is bold and red.

Welp, folks, here you have it. This is how Arch devs react to news of malware in their own repo.

@freakazoid @rysiek @infosechandbook
On the laptop I'm currently typing on, I have literally one package from AUR.

If people use Arch only because of AUR, then they're misguided, and IMO would be better off with a different distro.

@Wolf480pl @infosechandbook @rysiek Arch is recommended specifically because of AUR constantly.

I can't disagree that people using Arch are misguided, though. I certainly was and will be switching.

@rysiek @infosechandbook @Wolf480pl There are like three different Docker images on Dockerhub that are Arch+Yaourt. The Arch devs are delusional if they think users are really doing the due diligence they think they should or are mostly sticking with regular packages.

@Wolf480pl @infosechandbook @rysiek Or, to put it another way, Arch Linux is a trap for the unwary. (To a larger extent than Linux is in general).

@freakazoid @rysiek @infosechandbook
It says on the box:
"A distro for those who know what they are doing."

It's not devs' fault that some users recommend it to other their friends in a wrong way, or to friends who shouldn't be using Arch.

Look, if I bought a cheap WinCE-based car navigation, and sold it to you saying it's an iPad, would you be mad at me, or at the manufacturer?

@Wolf480pl @infosechandbook @rysiek That's typical "blame the user" mentality. It *is* their fault, because they know damn well people use it that way and have done nothing to provide better tools or to discourage people more strongly from using it that way.

@rysiek @infosechandbook @Wolf480pl Also, "If you get burned by this then you don't know what you're doing" is condescending and insulting.

But it's my own damn fault for not realizing from the beginning that "Arch is meant to be convenient for developers" meant *only* Arch developers, not any other developers.

@freakazoid @infosechandbook @rysiek
Rule number one of open-source software:

>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY

IOW:
>I use it. It works for me. If it works for you, cool. If it doesn't, well sucks to be you.

@Wolf480pl @rysiek @infosechandbook This is a really terrible attitude. Open source developers cannot escape all responsibility for their software, even if "responsibility" just comes in the form of reputation. Depending on whether other Arch devs react the same way, this could be a big black eye for the whole project.

@freakazoid @infosechandbook @rysiek
It's their right to destroy that reputation, especially if they never wanted it, or if it paints a false image of them...

@freakazoid @infosechandbook @rysiek
Suppose that, because of a misunderstanding, everyone thinks I'm a good singer, and they want me to sing for them.
Just because they think I'm a good singer doesn't mean I'm now obliged to sing well. I don't sing well, and I never wanted to.

@Wolf480pl @rysiek @infosechandbook I never claimed they didn't have this right. It's just disappointing. As much because it's made me realize that I've been lazy and sloppy to be relying on AUR to make up for Arch's lack of packages all this time. I would have dropped it soon after adopting it since unlike you I generally have 10-20 AUR packages installed at any given time. I'd much rather trust a couple PPAs.

@infosechandbook @rysiek @Wolf480pl But frankly if they didn't want the reputation in the first place they should have been much more firm about not using AUR tools, saying something like "If you can't use AUR without using yaourt or another convenience wrapper, you shouldn't be using Arch at all."

Maybe they have and I haven't seen it, but I have spent a lot of time in their (excellent) docs even for non-Arch problems.

@Wolf480pl @rysiek @infosechandbook As an aside, "Distro for people who know what they're doing" is super condescending and insulting.

@infosechandbook @rysiek @Wolf480pl If anything, it probably encourages people who don't know what they need to know to safely use Arch to use it just to prove they're l33t.

@freakazoid @infosechandbook @rysiek
Sorry, didn't think about it that way.
Maybe I should've said "distro that lets you shoot yourself in the foot" ?

@Wolf480pl @rysiek @infosechandbook I wasn't sure if you were quoting directly from the site or paraphrasing; if you were just paraphrasing then it's not important. Distro that lets you shoot yourself in the foot does sound a lot better, though.

@freakazoid @infosechandbook @rysiek
I was paraphrasing, or rather expressing my understanding of what I read 6 years ago.

@infosechandbook @rysiek @Wolf480pl Apologies for my aggro-ness about this. It's a combination of disappointment about what's been my favorite distro for a while (largely due to failure to think deeply enough about AUR) and a high caffeine-to-calorie ratio.

@freakazoid @infosechandbook @rysiek
Oh, if that's the case, I'm sorry that this happened to you.
Make sure to warn your friends so that they don't make the same mistake.

Maybe there should be a bigger warning in the wiki.

Anyway, I hope you'll be happy with Debian or whatever other distro you pick.

@freakazoid @rysiek @infosechandbook They're doing it for free. They're making a distro that is good for themselves. They're not obliged to share it to anyone else. Yet they do share. For free.

IMO One of the biggest advantages of Arch is that it assumes the user is always right. It obeys the user.
If you put big fat warnings and require --i-really-want-to-install-stuff-from-aur --i-know-aur-helpers-are bad options, then it'll lose all its value. It'd become another Windows.

@Wolf480pl @infosechandbook @rysiek @freakazoid

I think I have one package from AUR, and that's because I created it. In general people running Arch know what they're doing. They are "advanced users". That usually means they understand that people can upload random stuff to AUR. It's a UR after all.

@bob @infosechandbook @rysiek @freakazoid

>In general people running Arch [...] are "advanced users".

That's the theory. I'm afraid the reality is different.

@bob @freakazoid @rysiek @infosechandbook I guess it is, considering I've stopped recommending it and switched to more elite distros

@bob @freakazoid @rysiek @infosechandbook
dunno, but I have circumstantial evidence that at least some of its users are not at the level of expertise that Arch was meant for. Or maybe it's not about expertise, but about attitude? About willingness to understand what's going on under the hood, and keep it simple and under control.

@Wolf480pl @infosechandbook @rysiek @bob Understanding that people CAN upload random stuff to AUR and doing the things you really should be doing about it are two different things, even for "advanced" users.

@freakazoid @bob @rysiek @infosechandbook
If you understand, you will know it's your fault and won't blame the others. If you blame the others, it means you didn't unrestand well enough.

@Wolf480pl @infosechandbook @rysiek @bob I thought you were parodying an extreme/tautological position at first. But I fear you're serious :(

@bob @rysiek @infosechandbook @Wolf480pl Frankly I think this makes Arch as much YOLO bullshit as NPM.

@freakazoid @infosechandbook @rysiek @bob
Isn't NPM based on using stuff _without_ understanding what it does?

@Wolf480pl @infosechandbook @rysiek @bob I take that back; it makes Arch WORSE than NPM, since NPM at least gives you tools to find dependencies with known vulnerabilities.

@bob @rysiek @infosechandbook @Wolf480pl At least the NPM folks understand and accept how their trash heap is used; Arch devs apparently refuse to understand or accept it.

@Wolf480pl @bob @rysiek @infosechandbook They should move the AUR out of the archlinux.org domain then.

@Wolf480pl @bob @rysiek @infosechandbook But as I said in my very first post on the topic, I think Arch's userbase would be much smaller without it.