16 comments

[ 3.4 ms ] story [ 41.5 ms ] thread
Companies like Anthropic and OpenAI need to sponsor open source projects by giving them free agent credits. Otherwise, bad actors can just outspend and totally overwhelm the somewhat dim and very overworked set of human maintainers. Humans in software are obsolete, full stop.
lol

They're already running at a significant loss. giving out more free stuff isnt going to help.

What they really need to do is charge what it actually costs them. That will slow down the abuse a little.

Is there any information on if this is the same attack vector (orphaned packages that were adopted)? I believe they already locked down adoption, but maybe also a combination of existing maintainers being taken over?
This is why I avoid AUR, it's too easy to become complacent. If I really want something from AUR I literally just look at the PKGBUILD for compilation instructions and do it manually by myself, but if it's got so many patches or dependencies that I can't go through them all by hand I just find another solution or do without.

This is also why I really dislike a lot of modern languages with automated fetching of dependencies. It really fosters a sloppy attitude toward your supply chain because it's just too damned convenient. With a reasonably sized Go project for instance, you may be pulling in code from dozens of different git repos. It only takes one compromised repo or malicious package to sink the ship.

Not even that, AUR packages are just git repos, they don't auto update unless you use an AUR helper that does. You literally can just clone it and makepkg it and then pacman also tracks the installed files and uninstalling is a breeze.
Is the nixpkgs repo more "resilient" to these kind of attacks since an attacker would need the approval of a member with merge permission ?
Assuming you're not pulling in software from outside of nixpkgs, Yes.
Why? AFAIK original source is never reviewed, only the change in nixpkgs. So if the original is compromised, the malware will make it to nixpkgs.
The scope of nixpkgs is nixpkgs. If every package's entire source code was being audited, then there is no such thing as a sustainable repository of software. There simply isn't enough people, or money for AI, to do it.
Kinda, you'd have to go through the whole review process and also get your stuff to successfully be part of (at least) an unstable build.

What really worries me is that on Nix we have a strong habit of patching packages to work around problems caused by the fact that NixOS doesn't use FHS. So, in theory, someone could submit an obscure patch to systemd and get everyone affected by it, if it through the approval process.

The solution so far has been a very rigorous process to even get a commit bit into nixpkgs: https://github.com/NixOS/nixpkgs-committers

I'm sure PRs to the systemd package will get scrutinized by an experienced packager.

Also Nixpkgs isn't really that special when it comes to patching. Making thousands of software all work coherently on a single system inevitably requires heavy amount of pop patching. Nixpkgs actually handles this better by having easier ways to make customizations.

I’m moving all my machines to NixOS. I’d done this before but ran into time constraints creating ports for convoluted binary software. With LLMs now as good as they are it’s quite possible this isn’t a problem anymore. I’ll be finding out.
I've had great results doing this, using flakes seem to make the results quite maintainable
I wouldn't be surprised if this is some kind of implicit "use AI or else" statement. I've been anticipating some kind of hit on Gentoo given their outspoken no-AI stance. Unsure of Arch's.
Since Arch is hosting / facilitating the AUR on the archlinux.org domain, i think this causes less technical users to assume some level of trust. Even when they are aware that these are 3rd party packages.

Also i find it surprising that there's only very little/slow communication from Arch via their news channel. For example, how users can check for infections.

personally im looking more into using freebsd, i was an openbsd user for years, and then i started arch, i liked it bc it was more bleeding edge, but over they years ive become less security aware bc its just too convienent, as i do more and more developing. currencly it takes almost 20 min to load thunar, and i dont know what update broke it, ya its my fault i know but i just dont have the time to vet everything, this wasnt an issue 6 mo ago. i want a more of a os thats professionals for professionals, i dont need the latest eyecandy, im fine using windowmaker. if i need to be limited imm deal with the limitations, im using cinnimon and when my wifi doesnt connect my desktop is broken and takes forever to load if i have to reboot, which is generally to thunar and frustration, i cannot use a later kernel and am stuck at a certain version bc video drivers arent compatible, i also cannot run vitrualbox bc something is wrong woth the kernel driver. does the community have any other options???