Comment

Comment on Malicious Atomic Arch NPM Campaign Thread

copygirl@lemmy.blahaj.zone ⁨1⁩ ⁨week⁩ ago

From my experience, installing (especially building) AUR packages on SteamOS is practically impossible, because of how stripped down SteamOS is.

source

Sort:hotnew top

Fubarberry@sopuli.xyz ⁨1⁩ ⁨week⁩ ago
People using the aur on steamOS probably are doing so through distrobox. Distrobox doesn’t sandbox as far as I know, so the infostealer part of the malware would still be a risk. The rootkit part I’m guessing would fail, since I think distrobox on Deck usually runs in rootless mode.

It also seems like there was a fairly short window of time before the infected packages were caught, anyone who didn’t update one of the compromised packages on that exact day should be fine.

source
thingsiplay@lemmy.ml ⁨1⁩ ⁨week⁩ ago
It is not impossible. SteamOS itself is not “stripped down”, at least that is not the reason why you cannot install packages from AUR. SteamOS has a write protection for the system files and the operating system installation. On top of it, any changes made to it will be reverted back with a system update.

One can enable write permission and install AUR packages. However with the next update the system is usually reverted back and changes like these are lost. Therefore being infected on Steam Deck is unlikely. If anyone did that and got infected during that period of time, then I wouldn’t trust the installation anymore.

source
- copygirl@lemmy.blahaj.zone ⁨1⁩ ⁨week⁩ ago
  Have you actually tried installing packages onto SteamOS (with readonly disabled)? Because system packages will be out of date with mainline Arch, which is already a bad idea on a rolling-release distro, and on top of that they are stripped from important stuff required to build other packages from source. It’s been a hot minute (> 1 year) so I forget if it was symbols or what exactly, but my point is the same: SteamOS should not be treated as an Arch system where you can expect additional (official or user) packages to work.
  
  source
  - thingsiplay@lemmy.ml ⁨1⁩ ⁨week⁩ ago
    I agree with you, nobody should disable readonly mode and tinker with system packages (and I do not mean Flatpak). However there is an alternative to this and officially supported. Valve added an exception to Nix package manager, that you can use to install packages from Nix repository and update them without pacman. And it will remain even after a system update, without disabling readonly system.
    
    source
    copygirl@lemmy.blahaj.zone ⁨1⁩ ⁨week⁩ ago
    My comment was about AUR packages tho.
    
    source
    -> View More Comments
- Tetsuo@jlai.lu ⁨1⁩ ⁨week⁩ ago
  That was my understanding but I’m not sure I agree with your conclusion though.
  
  This hack drops an infostealer that could steal passwords and other secrets, so even if the system removes the malware, the data stolen would still be an issue.
  
  So you can be infected for even a few days and get some passwords stolen that would still be problematic.
  
  But yeah the subset of Steamdeck users that activated write mode and installed an affected AUR package must be pretty small.
  
  source
  - thingsiplay@lemmy.ml ⁨1⁩ ⁨week⁩ ago
    
    That was my understanding but I’m not sure I agree with your conclusion though.
    
    My conclusion does align with yours, so I’m not sure what you mean. It is likely to be infected, because most people don’t use the AUR on the Steam Deck (because of the reverting back). And my conclusion was, if anyone is infected, then I would not trust the system anymore.
    
    source