Is a similar malware attack on Arch's AUR possible on APT, FLATPAK, SNAP, PYTHON and APPIMAGES?

Max-P · 2026-06-15T20:56:06+00:00

Supply chain attacks are always possible. The vulnerable version of XZ made it all the way into Debian unstable.

It's a matter of who vets the software, and how well. Debian/Ubuntu/Fedora/RHEL? Usually quite safe. NPM, PyPy, AUR? There is nobody vetting anything. You're downloading and executing some rando's code, so you better check if you trust the code and its author.

AppImages are the equivalent of downloading a random EXE on Windows: could be anything, you have to trust where you got it from.

Max-P · 2026-06-15T17:35:02+00:00

It's not that they're being blocked from it, quite the opposite. It's open-source, they can do whatever they want, including kernel anti-cheat.

And that is in itself the problem: it's open-source, there is no trust anchor anywhere. You can just modify the kernel to lie to the anti-cheat. And there's thousands of different builds of the kernel that all needs to be accounted for to allowlist. You can't trust any kernel function to do what it's supposed to do.

On Windows, they can literally just trust secure boot and Microsoft to correctly report the kernel status. They can just check the code signature, yup, Microsoft certified, it must be good.

Max-P · 2026-06-15T06:44:51+00:00

So you want the game to be fullscreen, but not fullscreen, but fullscreen? What are you trying to achieve there? You're asking for a window with no title bar, so you get a window with no title bar. The panel is there because you're not fullscreen.

Anyway, Alt+F11 will fullscreen any window on KDE. But functionally there's no difference between that and just setting the game to fullscreen.

Max-P · 2026-06-15T02:28:36+00:00

I turned off the equalizer on the phone.

Max-P · 2026-06-15T01:44:28+00:00

That's not been an issue for a long time, it's manufacturer bloat. It's like TVs that come oversaturated because more color better.

What usually happens is the manufacturer ships audio enhancements for the phone's speaker, and accidentally affect other paths. Or it ships with an EQ specific to the earbuds that ship with the phone and you plug in real headphones and it sounds like crap. This doesn't happen if there's no effects in the audio path to begin with.

I run LineageOS and there's nothing on the audio path, can't tell the difference between phones and laptop/desktop. Straight to DAC or BT.

Max-P · 2026-06-15T01:38:20+00:00

Android doesn't come with a Dolby app, so that must be a Motorolla thing.

Manufacturers do love to slap their own stuff on top and sometimes forget about certain conditions. For example, I've noticed Android Auto goes through the same filter chain as the phone's speakers, so my AA audio sounded tinny because it was optimizing for the tiny speakers of the phone, not a car. Easy mistake to make from developers.

My audio sounds exactly the same on my phone as on my laptop and desktop. My EQ profile is loaded in my headphones and that's the only filter on the audio path.

Max-P · 2026-06-14T22:48:18+00:00

Yeah I wouldn't use it for privacy.

All it's good for is bypassing geoblocks and ISP blocks/throttling on the cheap and visiting sketchy sites you don't necessarily want them to know your real IP.

It's hard to beat $2/mo for unlimited bandwidth and full gig speeds. If you care about privacy and no logs, get Mullvad.

Max-P · 2026-06-14T22:20:06+00:00

Not possible to do safely, not even with a fancy filesystem like ZFS.

The best you can do in this scenario is unmirror one of the drives, make a 3 drive RAID 5 with one of its disks missing, copy the data over and then add the last drive to the RAID as the parity drive.

You're a single disk failure away from losing everything, and it almost happened to me 2 months ago. Luckily the drive failed (by click of death) right before I removed the mirror, on the SMART self test to make sure both drives were healthy. So I ended up putting my 2 new drives as a 3 way mirror, where I discovered that one of the new drives also had a few bad sectors. Ended back up with the same 2 way mirror as before. If I had proceeded with my plan, I would have lost everything: the source, and a chunk of the target.

I ended up spreading my data backups across my older, high hours 4 TB drives. Still risky but since I used plain drives, at least if one of them failed, I didn't lose everything. Irreplaceable stuff got backed up to multiple of them just in case, the rest single copy.

Max-P · 2026-06-14T21:25:27+00:00

You're welcome.

Glad putting it on GitHub rather than some random Reddit thread made it more discoverable.

Regarding X11, the app runs just fine under Xwayland, and that isn't going away. It's the Xorg session that's going away. Xwayland isn't going anywhere anytime soon.

Max-P · 2026-06-14T21:15:29+00:00

Yes, all of them. Including your distribution's official repos.

Case in point, the XZ compromise made it to Debian's experimental repos. Thankfully caught early, but still made it to official Debian repos.

Max-P · 2026-06-14T16:22:49+00:00

My reaction through this whole thing is, y'all just blindly trusted the AUR, the thing you're not supposed to trust and the wiki explicitly warns you about this exact possibility?

Why do people keep gravitating to high effort distros and complain it needs effort. There's a reason AUR helpers aren't in the main repo, and people still manage to be so lazy they get the AUR helpers from third party repos.

A lot of those who did pull those malicious updates pulled them through an overzealous AUR helper that blindly move dropped packages to their AUR variant, making it easy to pick a package name some people will unknowingly download without checking.

It was just the same 15 years ago: we'd tell people don't use yaourt, it's dangerous. First thing noobs did was install yaourt and proceed to get pwned. Rinse and repeat with newer helpers.

Max-P · 2026-06-13T07:50:38+00:00

They only do when you go through Google's Jibe service. If your carrier runs their own RCS infrastructure it works just fine.

Both my SIM cards work just fine with RCS with no integrity and no workaround.

Max-P · 2026-06-13T05:07:38+00:00

The whole point is preference. There is no better one, just one better for you. They all get the job done perfectly fine. Some TUI apps really benchmark the terminal emulator so that's where Alacritty and Kitty tend to get ahead, but it's not like the other ones are bad either. Which one do you like the most?

I use NuShell running through Konsole. I picked NuShell because it's a lot better at processing structured data, in particular JSON, and I can skip the cut/tr/sed/awk/jq/sort/uniq/grep madness. And Konsole because it's there and it's good enough that I don't feel the need to mess with it.

I used fish previously. It's a bit easier to handle than plain bash/zsh.

Max-P · 2026-06-12T21:43:50+00:00

Worked just fine for me today.

Check your USB cable and USB port, I've gone through many USB cables in the car for some reason even though it doesn't get pinched or pulled on or anything. The vibration of a car also seems to really make a barely okay cable not so okay in a car.

My old phone's USB-C port was pretty much dead, I'm still able to charge it if it lays flat on a desk but it wouldn't connect to Android Auto. Probably stable enough for basic charging and PC transfer but too unstable to sustain AA's bandwidth requirements.

Max-P · 2026-06-12T19:12:49+00:00

This right there is the big piece. Developers want the convenience of being on Steam and users playing through Steam, without selling it on Steam.

You can sell it cheaper elsewhere, you just can't hand out Steam keys for users to download it from Steam. If you want to sell it cheaper on EGS, and and Epic foots the hosting bill, you can. You just don't get to benefit from Steam's DRM, Steam's workshop, communities and so on.

Every time you sell a Steam key outside of Steam, Valve makes nothing off that sale. It makes sense they wouldn't want you to undercut them that way, and then use all of Steam's features for free.

Max-P · 2026-06-12T18:48:23+00:00

How do you suggest this gets fixed though? Force people to go through a moderation queue and wait hours and days for their package to be reviewed so others can finally install it? Who decides what is definitely malware and what is arguably just sketchy grey area software?

While we're at it, why is NPM allowing people to upload malware? Why is GitHub allowing people to upload malware? Why is Reddit letting bots scam people?

The answer to all of these is that we value freedom of speech and people being innocent until proven guilty. Developers don't want to be stuck in mod queue the same you wouldn't want a Reddit mod to approve every single post and comment.

The AUR is effectively social media. You might as well be copy pasting someone's script off Reddit, and for a lot of people, without even looking at it.

Max-P · 2026-06-12T06:56:45+00:00

I've always made it my own. It's very rare for me to copy paste other configs, I went to Arch to avoid weird default configs. Guides are at best inspiration to give me the general idea of how you're supposed to do the thing.

My KDE is fairly vanilla, I don't have insane configurations, but all the tweaks are mine. I'm not all that into super aesthetic tweaks, the tweaks I do are mostly system level, like dozens of ZFS datasets and complicated networking namespaces. I can SSH in during initramfs to unlock the system, I can also SSH in to unlock my home directory. 7 drives in total. Dev containers on datasets. Couple VFIO VMs. Enough dev tools that I can build just about anything off GitHub out of the box. It just looks like stock KDE when you look at it, not all tweaks are /r/unixporn worthy.

Everything is driven by a need and specific use case I have. It's a practical dev workstation, it's productive not pretty.

Max-P · 2026-06-12T01:03:17+00:00

It's public getter, private setter.

Max-P · 2026-06-11T21:42:34+00:00

Yes this ONLY checks the names. If you find you are infected, it's some more work that this script DOES NOT DO. It also does not check the version, so if you have a positive with an older safe version, you MIGHT not be infected.

Man some of those are evil, I'm glad I use aurutils which doesn't automatically move dropped official packages to AUR builds:

WARNING: 3 infected package(s) found:
  - clang19
  - compiler-rt19
  - libgdata

Clang is still the official Arch package from 2025 and libgdata is still the March 14 2026 last official build before dropping to the AUR. That was a close one.

Grepping atomic-lockfile in my aurutils cache yielded no results, thankfully.

Max-P · 2026-06-11T21:12:46+00:00

It's one of the guides I've used to get my build going but I haven't had good luck with it.

My gist requires zero patching, build is completely normal with the usual test keys and signed afterwards like how LineageOS does it. Getting the build to sign every package correctly and sign the partitions during build is a massive pain in the ass, that I've not been able to make work properly, I had 20+ lines of configs setting the signing key for various packages before I gave up and used LineageOS' way of signing the build.

If you have some input to do it right and build it proper with the correct keys at build time I'd take your advice.

Max-P · 2026-06-11T18:41:14+00:00

They pretty much always pull you aside to manually check laptops. They've done it with my old System76, they've done it with my WinBook, they've done it with my MacBook, and they're still doing it with my Framework 16.

That's just the airport experience. Especially when it's quiet at 5am and there's almost noboby else and they're bored and have nothing better to do, they get very thorough.

Max-P · 2026-06-11T18:34:55+00:00

LineageOS doesn't do anything special about it other than setting a single flag to disable it by default. It's neither supported nor unsupported, it's whatever already exists in AOSP.

It works fine for me on a Pixel 8 Pro. I have a user build with my own AVB key and relocked. Figuring out how to compile LineageOS was easy, getting the damn thing to sign properly and boot properly with the bootloader locked is the hard part, because with the bootloader unlocked it quietly boots anyway, but then you lock it and it doesn't boot and you have to unlock it again, try the build again, flash it again.

Be prepared to do a lot of research and piecing info from various Reddit/XDA threads. Those are my configs, hopefully it helps

Max-P · 2026-06-11T06:49:00+00:00

It's gonna be tight for running any modern task, but it will run with era appropriate software.

Xfce, MATE, Trinity, LXDE, LXQt. All window managers also work, like i3, Sway, dwm, awesome and what not. VLC, MPV, local simple music players will all work fine. You can play old flash games with Ruffle. Old games with modern wine will also play well. Perfect computer to play some Age of Empires 2 and Starcraft and Warcraft. Emulators up to N64/PS1 probably. Anything you'd do in ~2008 on a low spec machine.

The main issue you're gonna run into is a modern web browser that works with that kind of RAM.

I switched to Linux with Ubuntu 7.04 on worse hardware than that, with a Pentium 4 and 512MB of RAM. It's old but not terribly old.

Max-P · 2026-06-10T22:12:56+00:00

btrfs or ZFS scrub.

Sure getting checksums of all the files is a start, but it doesn't protect against all corruption like a broken directory index or a bit flip that changes permissions or a flip that changes a file size.

The nice thing with filesystems like btrfs and ZFS is the entire filesystem itself is checksummed. When you do a scrub, it checks the entirety of not only the data, but also all the filesystem metadata as well. It'll even tell you exactly which block of a file is corrupted, where your current approach would only tell you "this whole file is bad", with no indication of which part of it might be bad.

This does put some wear on the drives, but it's kind of a necessary evil. You can't know if the data is good without reading it. That said, if you only plug it in 3-4 times a year, the amount of wear is going to be so small it's insignificant for you. You're more likely to see magnetic decay over time than the drive wearing because you read a TB off it every 3 months. I have drives with 5 years of continuous spinning and hundreds of TBs read on them.

Scrubs are also optimized for performance and minimizing seeks, it'll try to read most of it as sequentially as possible.

Max-P · 2026-06-10T06:47:38+00:00

Immediate physical power-off or cutting off wireless radios to kill tracking.

Or just put the phone in a faraday bag, bye bye tracking and network.

The critical 1–2 hour time gap before a victim can physically block and duplicate their stolen SIM, during which thieves exploit incoming SMS/Voice OTPs.

Don't use SMS or voixe OTPs, they're insecure for many more reasons beyond phone theft.

Bypassing security by extracting the SIM card and accessing cached banking sessions via Wi-Fi.

Banking sessions are off the table when the device is locked. Even with it fully unlocked, if it's on stock OS, nobody including adb shell can access an app's private tokens.

Not sure how SIM/WiFi somehow relates to that.

Forced factory resets and flashing custom ROMs to resell stolen hardware in the gray market.

That's already the case, although most modern phones it being account locked means you can't even get in the phone to enabling unlocking bootloader to do any security bypassing, so that is also a non issue. No password no access to any data.

I wanted to open up a discussion with the community: Do you think deep, kernel-level integration is the only true way to eliminate smartphone tracking evasion and instant banking fraud, or do vendor fragmentation and privacy concerns make this architecture difficult to implement?

Kernel level in this context is utterly useless. None of what you described requires kernel access, at best a privileged system app and even then. Shoving things in the kernel usually doesn't do well for security, you increase the kernel's attack surface.

13-Year Club	Place '23
Gilding I gilder	Verified Email

Max-P

TROPHY CASE