Arch Linux 恶意软件事件波及 1500+ 包
推荐指数 66.0 NO. 014 · 2026.06.14
发布2026/06/13Score226Comments140
为什么值得看
Arch Linux 官方称大规模恶意软件注入事件已得到控制,超过 1500 个软件包受影响。对依赖 Arch 及衍生发行版(如 Manjaro)的 AI 开发环境构成供应链安全风险,需立即核查容器镜像和 CI/CD 基础镜像来源。
编辑判断
这起事件暴露的是源码级供应链攻击而非简单的仓库劫持,攻击者可能通过 compromised maintainer 账户或构建基础设施注入恶意代码。Arch 的滚动更新机制意味着受影响包可能已进入大量开发者的本地环境和生产镜像。
如果你在用 Arch-based Docker 镜像跑模型训练或推理服务,现在应该冻结镜像构建、核对 pacman 日志中近期更新的包签名,并考虑临时切换到 Debian/Ubuntu 基础镜像作为降级方案。CI/CD 流水线里缓存的 Arch 层也需要重新拉取验证。
社区反馈
意见分歧 109 条评论
核心争论:AUR 的开放自由模式是否应加强安全管控,还是用户自担审查责任
As always a fair reminder to not install random 3rd party packages/libraries/applications without reviewing them, especially when there is zero vetting. Luckily this was constrained to AUR, which basically is a free-for-all package repository, with users being warned multiple times that it
> users being warned multiple times that it's vital to review anything before you install it, compared to the official repositories. I think this stance should be re-evaluated. Arch Linux developers are doing a fantastic job and I am personally thankful to them - this is not in any way critical of
Personally, what you suggest would defeat the purpose of the AUR, and what you describe is already applied to the official packages. If you want only the safe and stable stuff, don't use random packages from AUR :)