I recall the AUR always being touted very highly as some great advantage for Arch as a linux distro, unfortunately this convenience has also come with a price.
It's crazy that all it takes to become a maintainer of a package is to flag it as orphaned, wait 2 weeks for the original maintainer to fail to respond because they're on a holiday, and BAM! - the attacker can gets assigned as a maintainer and can now ship spicy updates.
That is a terrible way to run a package repo in this day and age.
Maintainers need to have some level of vetting, and should own a repo or three for a while to establish a track record, before they get to blast out contributions to 100 of them without any review.
AUR isn't a package repo. It's a collection of user-contributed PKGBUILD scripts, to make building packages from upstream source distributions more convenient. It's not meant to be treated like an official repo of binary packages.
That's a semantic detail based on the choice of build from source over binary distribution.
This is also a terrible way to run a package build system in this day and age as well, if you like. I feel exactly the same way about it, and when I wrote that I understood what it was, so I didn't need that helpful correction (I first used the FreeBSD ports system sometime around the turn of the millennia).
> That's a semantic detail based on the choice of build from source over binary distribution.
It's not, AUR is more like GitHub, anyone can upload content there, not like a proper repository where things are reviewed, verified and cared for.
You're complaining about "curl https://random-website.com | bash" being "a semantic detail" while it's a major difference in how much trust you can put into it. If you don't trust random-website.com, you shouldn't trust AUR packages. But very different from BSD Ports or Arch's official repositories.
GitHub doesn't allow me to put up my old repos for adoption by any old rando, or to allow randos to request to take over my repos if I don't respond for 2 weeks.
GitHub also actually protects against repojacking and tombstones username/reponame combinations (that exceed a certain minimum popularity) and never lets anyone ever use them again.
The utility of AUR is also really based around being able to reuse the same repo without having to re-vet every single time. This kind of attack, that forces you to re-vet on every single upgrade so that trust inherently can't be established, is also not GitHub's model at all.
And go has a software package manager that heavily uses GH for distribution, and is arguably more VCS decentralized, but isn't vulnerable to this kind of attack, because it inherts GH's threat model, and doesn't implement the kind of choices that AUR decided to deliberately build into their system.
> GitHub doesn't allow me to put up my old repos for adoption by any old rando, or to allow randos to request to take over my repos if I don't respond for 2 weeks.
Changing your username would let anyone reuse the old username for whatever they want. Probably still today there are bots squatting any renamed accounts. Also, you bet Microsoft would hand over your GitHub username if it was reported by someone who holds a registered trademark in the US over that username, regardless of impact.
> The utility of AUR is also really based around being able to reuse the same repo without having to re-vet every single time.
I don't think they promise that anywhere, nor should you have that expectation. That would be like since you got legit copy from random-website.com/bin.exe today, you'd get that tomorrow too, clearly not true unless you know the owner of the domain or otherwise trust it.
> go has a software package manager that heavily uses GH for distribution, and is arguably more VCS decentralized, but isn't vulnerable to this kind of attack
Unless Golang suddenly have peer-reviewed packages, Golang has exactly the same problem as AUR in that anyone can create packages, and it's up to users to decide what to trust or not. Fair that the whole "orphaned packages" thing doesn't exists in Golang, but I think Arch probably favors stability more than people expect/think, that's why people can continue to maintain packages even though original maintainer disappears. Ultimately it's a trade-off, I don't think there is some absolute truth what is correct or incorrect.
Regardless of who maintains the package, if you use AUR as intended, it seems you'll avoid most security issues. It's when your expectations aren't aligned with what AUR actually promise, that people start getting hacked.
I don't know how it works these days, but a few years ago GitHub was happy to give away usernames from users who haven't touched their accounts in a long time to anyone who asked. Several people I know got vanity usernames that way. All you had (have?) to do is drop an email to GitHub's support.
Only thing I can find on requesting to take over an inactive account is here:
> We do not accept requests to release, transfer, or reclaim usernames on the basis that they appear inactive or unused. If the username you want has already been claimed, you will need to select a different available name unless you are submitting a trademark complaint as described below.
Also even the original user renames or deletes their account any popular repos they have will get tombstoned, so the new owner can't recreate them:
> GitHub uses a tombstoning algorithm to reduce the risk of repo-jacking by permanently retiring specific owner name, repository name combinations. The github/cmark-gfm example above is purely hypothetical, because, in that scenario, the old name would get automatically tombstoned. For example, even if an attacker managed to register the username github, they would still be prevented from creating a new repository with the name cmark-gfm because that owner name, repository name combination (github/cmark-gfm) would be permanently retired. Therefore, repo-jacking is only a risk for repositories that fall below a certain usage threshold. We don’t tombstone all renamed repositories because there’s a tradeoff between usability and security: a tombstone is a potential inconvenience for our users which we don’t want to impose unless there’s a genuine security-related reason to do so. That’s why our tombstoning policy only kicks in after the repository has met certain criteria, such as exceeding a specific number of clones.
Before that it was possible to contact support to reclaim any username provided that they had no meaningful public repos and they were inactive for a long time. It was at the staff's discretion, there wasn't an elaborate policy of what constitutes inactive, but I've successfully reclaimed a username inactive for 2 years myself.
The old policy was:
GitHub account names are provided on a first-come, first-served basis, and are intended for immediate and active use. Account names may not be inactively held for future use. GitHub account name squatting is prohibited. Inactive accounts may be renamed or removed by GitHub staff at their discretion. Keep in mind that not all activity on GitHub is publicly visible. Staff will not remove or rename any active account.
Attempts to sell, buy, or solicit other forms of payment in exchange for account names are prohibited and may result in permanent account suspension.
Meanwhile sometime around there I changed my GitHub username, and not reading up on the suggested process before doing so. The idea was to rename my account, then create a new account with the previous username, so no one else could squat it, as it's my firstname + lastname and the combination seems unique in the world, so it's basically just me. But a few seconds after renaming the account, it got squatted and even requesting to GitHub to reclaim it somehow, has fallen on deaf ears.
Lesson learned, create new accounts and never rename usernames, regardless of what rules the platform might share publicly.
I think GP meant "installing the bank's app as 2FA", not standard 2fa. I think the idea is that generally banks are resistant to and incompetent at technology, so a paper solution that avoids bad software decisions is laudable.
These are reasons why it might not be the largest provider of funds per capita, not why it would be by orders of magnitude the biggest recipient.
I have been to Luxembourg and to Hungary, Bulgaria & Greece - the otherwise obvious contenders for "poorest" in the EU and Luxembourg should not be in the picture.
If it gets funds for restoring one railway bridge or something of that sort the fact the population is tiny makes the per capita investment look huge, just usual tiny country effects.
A bunch of foreign companies also incorporate their EU subsidiaries there (presumably due to some tax benefit). I imagine that distorts their GDP quite badly as well.
I presume this is because of the EU institutions there and that expenditure to maintain those institutions counts towards receipts (and this effect is then exaggerated due to Luxembourg's small population). Certainly no one in the EU is under any illusion that Luxembourg is poor, much less vastly poorer than the next poorest EU country.
Notoriously difficult to portray correctly in EU money-shuffling statistics. Some money not granted to the grand duchy still filed under "beneficiary country: Luxembourg" due to some program or institution being headquartered there. And it is essentially impossible to compare apples to apples what happens in actual EU budget and what happens in Kirchberg, home to EIB.
The largest EU benefit is that it makes democratic and rule of law backsliding unlikely. So if you invest money in Poland you can be reasonably sure that it won't get stolen from you.
Hungary was a demonstration that this works over the long term.
In the EU, money gets stolen from you in a more subtle way. For example, the COVID situation, with unlimited money-printing was a tax on the people who had savings, and supporting a specific subset of the economy, or, delaying the tax in the essence.
There is no lesson of "democracy" to give. At best it is a guided democracy, and this is very generous.
For example, VPNs are going to be forbidden, and the free speech compared to the US is a little toy.
Elections are often a facade in many EU countries.
In France for example, it's always the "right" (btw you can be socially or jailed if you support them by using the wrong words) against the existing party, and communists are begging it's better to vote for the existing party, than support the newcomers.
It's a loop, this is why there is this joke that voters are "beavers", because at every elections they are asked "build a dam" against competition.
There is the same beaver thing, over and over again for 30 years.
Even people that are actually elected you have nowhere your word near their decisions (and even less near Von der Leyen and similar people).
Poland understood long time ago that it needs a safe country, and that they need to make sure that the people in their country are fine and safe before helping the whole planet.
Hungary and Poland are a little bit in the same boat, their relative independence saves them (e.g. refusing the EUR currency, refusing some policies) that allows them to have more leeway to support the local people, while benefiting of the funds from the EU and Schengen.
The EU prevents your money from being stolen, except when the EU itself decides to withhold or deduct it. Hungary has lost over a billion euros in ECJ daily fines...
If you push it even further, this is forgetting about the hundreds of billions that are centrally distributed to third-parties (and this is just Ukraine!). So, your money, our decision.
> unlimited money-printing was a tax on the people who had savings
US printed so much that basically entire global economy had to pay for it in huge inflation in the years that followed. And all that freshly printed money ended up in pockets of US billionaires.
> doesn't explain why it worked so much better for Poland than for Czechia, Slovakia and a few others.
It's hard to see the other paths they could be on tho. One person's failure is another's raging success. It might be a bit like the way we take a peace for granted, because we can't internalize the cost of all the ways it could have been worse.
The "logic" of xenophobic nationalism is that narratives are selected for how well they (1) cast "us" as victims, (2) cast some convenient "others" as villains, and (3) fire up "our" feelings of hatred. Neither logic nor truth are particularly desirable - and narratives which are particularly defiant of logic and truth may be a way of virtue signaling within xenophobic national social circles.
> Yet you can see crowds of young anti-woke Germans on X
There are also crowds of young anti-woke Poles claiming that Poland should leave EU because we would be better without it and claiming that EU is puppet of Germany. I've also seen opinions that Israel is a puppet of Poland, aimed at Israelis. If you want to, you will see all opinions you could imagine.
This all started with Facebook. Those "opinions" are partly manufactured in russia and for russian money amplified through US owned social networks. Any "opinion" that sows discord in the West is used. Content is pretty much irrelevant. The outcome is what matters. Divisions, reduction of trust in institutions and leadership. It works because there are people in the west who opportunistically politically capture audiences created by this discord. And they do it, by repeating same "opinions", often even for free.
Chicken and egg. How did those voters get that way? Some governments and rich people fund sock puppets to influence our national discourse, to muddy the truth if not outright spread lies. They wouldn't do it if it didn't work.
> The largest EU benefit is that it makes democratic and rule of law backsliding unlikely.
On the contrary. Since the EU has no meaningful penalty mechanism other than withholding funds, and enormous capacity for shared damage absorption, once a country passes a certain threshold of development membership in the EU actually encourages government misbehavior including democratic backsliding, because it insulates the government from many potential adverse consequences.
For example, governments around the world have to fear violent revolution. But in the EU, the shared desire for law and order is so strong that the rest of the members are likely to support a member state in repressing such a revolution with essentially any degree of brutality, regardless of the condition of that state’s democracy, because the alternative (a successful coup in an EU member state) is impossible to contemplate.
Indeed. The self-congratulatory narrative around "EU funds" is obnoxious and ignorant. As you say, Poland's economic growth was similar before it had joined the EU. (Many economists then thought Poland's accession in 2004 was premature and should have been postponed.) Causes were cultural (there is a strong, traditional entrepreneurial streak in Polish culture) and related to the economic reforms undertaken during the transition from the centrally-planned economy of the socialist period. People need to remember that Poles did not choose the communist regime after the War. It was thuggishly and violently imposed onto Poland by the occupying Soviets. Poles merely endured a provisional acceptance of the regime, because they had no choice.
Furthermore, as the GP hints, EU funds earmarked for Poland don't necessarily remain in Poland as investment. Much of that money circulates back into the pockets of contributing countries. You have to look at the entire paper trail to understand where money is actually ending up.
Also worth noting: Poland didn't receive a dime of reparations after the War. Germany (and with later contribution by the Soviets) had unleashed such mind-boggling destruction on Polish cities, towns, cultural inheritance, industry, etc. that only the so-called Swedish Deluge matches or exceeds this devastation.
The EU presents certain clear economic benefits for member countries. Nobody disputes that. But the patronizing and paternalistic narrative of some countries - reminiscent of their goofy rationalizations for their occupation of that region during the 19th century - need to go away.
Can't agree more. Given its geography and population, one would expect Poland to be a major economy, but it's been occupied or even completely erased from existence for large stretches of industrial modernity. The period since 1989 is the longest stretch of true sovereignty that Poland has had since the 18th century.
The fucking krauts (both the German/Prussian and the Austrian/Hapsburg varieties) can and should toss them a few złoty for economic development as recompense for the horrific treatment they've dealt Poland over the centuries. It would be nice if the Russians would too, but that's not the reality we currently live in.
If you peer into the (un-tendentious) history of much of those lands, you might take a slightly different view of them and their role and importance in Polish history, culture, language, and statehood, beyond just the 20th century... But perhaps more to the point, Poland lost nearly half of its prewar territory, east of the Curzon line. Poland is territorially smaller today than it was before WWII.
It also "received" several million of its own people killed, including the highly educated Jewish community. While we are crunching numbers, let us not forget that loss of human capital matters in economy as well.
Yes - main benefit of EU is regulatory stabilization and open market. Ironically also this was working also before joining EU (most of the adjustment happening as requirement to join EU and implemented before joining).
A lot of it also was behind a requirement to basically "fix your shit".
You could get the money but you had to get bureaucracy to be right and transparent to cut down on fraud, and that helped the rest of the govt to have less fraud.
Much of the stabilization was due to the strong domestic market. Recall that Poland was the only country to avoid the 2008/2009 recession. It is tight global integration that causes recessions to spread.
Brazil also famously avoided the 2008-09 recession to a great extent, to name one example.
Tight global integration is not a bad thing. Even if we took at face value your argument that a strong domestic market protected Poland in that case, you can't cherry pick the one instance in which lower-than-expected integration was beneficial without also considering all the other times in which it was harmful.
Poland's growth does well when everyone is in the dip. Even in 2020 crisis Poland dipped less than other. Although the difference was less that time. 8 years of populist rule did harm Poland a bit.
Firecracker and gVisor are used by AWS and GCP, respectively, are open source. That's just off the top of my head, I'm sure there's more, there's also the whole Open Compute Project, after all.
>the best way to install these tools is to build it yourself, i.e. make install, etc.
And you're fully auditing the source code before you run make, right? I don't know anyone who does, but you're handing over just as much control as with curl|bash from the developer's site, or brew install, you're just adding more steps...
> And you're fully auditing the source code before you run make.
I mean you can?
But that is the whole point when the source is available, it is easier to audit, rather than binaries.
Even with brew, the brew maintainers have already audited the code, and it the source to install and even install using --HEAD is hosted on brew's CDN.
>Even with brew, the brew maintainers have already audited the code
Realistically, how much are they auditing? I absolutely agree with your sentiment that it's better than a binary, but I think the whole security model we have is far too trusting because of the historically overwhelming number of good-faith actors in our area both in industry and hobbyists
It's crazy that all it takes to become a maintainer of a package is to flag it as orphaned, wait 2 weeks for the original maintainer to fail to respond because they're on a holiday, and BAM! - the attacker can gets assigned as a maintainer and can now ship spicy updates.
reply