| ▲ | embedding-shape 5 hours ago |
| As always a fair reminder to not install random 3rd party packages/libraries/applications without reviewing them, especially when there is zero vetting. Luckily this was constrained to AUR, which basically is a free-for-all package repository, with users being warned multiple times that it's vital to review anything before you install it, compared to the official repositories. `rua` and other similar CLIs make it really easy to review the packages before installing them from AUR too, and if you are doing banking on the same computer, you really have no excuse not to review the software you depend on. Keeping the amount of packages low, only use what you need, also makes this a whole lot simpler when it's time to upgrade. |
|
| ▲ | blcknight 2 hours ago | parent | next [-] |
| "Review" them how? Read every single line of code before installing something? If it's a binary package, how do you do that? Make reproducible builds for everything you install? Move to from source distro? Putting this on users is not a tenable solution. There's room for common sense, but blaming the users for this is ridiculous |
| |
| ▲ | yowo an hour ago | parent | next [-] | | This is like saying a user who clone a random git repo is not to blame and git-scm should do more to prevent cloning of malicious repos.
If it is not official, it is your job to review, if you dont like it, use iOS instead of Arch Linux. If you crash your car, you are liable for the accident. If you aren't ready for that, take the bus. More power = more responsibility | | |
| ▲ | naturalmovement 33 minutes ago | parent [-] | | Uh but this isn't random git repos these are packages available through the OS's repos. Why does the AUR even exist if not for malware distribution? It's an uncontrolled free-for-all disguised as a watering hole. If they can't do the most basic of housekeeping it should not exist full stop. | | |
| ▲ | zeta0134 17 minutes ago | parent | next [-] | | They *are* doing the basic housekeeping. What do you think this announcement is, if not exactly that? AUR is very clearly documented as user-submitted, and automatic installs from it are heavily discouraged by the maintainers for this reason. Malware aside, there is very little quality control, and a poorly made AUR has the potential to break the system pretty badly. (Though, in my experience, most of the useful AUR packages are trivial to remove if something goes wrong.) The officially maintained repositories (which are part of a default installation) were not affected. Users need to go somewhat out of their way to use an AUR. The definition files are all plain text and not especially complicated. It's not too difficult to glance at the file before doing an install to get a basic idea of what it's about to do, just like you should do when running a random shell script or cloning a random git repo. Indeed, most AURs are implemented by cloning an upstream git repo and configuring it so it can be built. The same basic threat model applies: Do you trust the install script? Do you trust the upstream URL whose code it is about to compile? | |
| ▲ | Hackbraten 30 minutes ago | parent | prev [-] | | > these are packages PKGBUILDs are not packages. They’re (user-contributed) instructions on how to build packages. > available through the OS's repos. No. The AUR is a platform, similarly to NPM or PyPI, that allows users to upload PKGBUILDs. It is not part of “the OS’s repos,” and it says that loud and clear, multiple times, including on the front page. | | |
| ▲ | naturalmovement 24 minutes ago | parent [-] | | This is like if someone urinated into the bulk foods bins at the grocery store, and the store did not implement the most basic of measures to prevent it (like locking tops on the bins); then the manager blamed the customers for not knowing better and lab testing all your food for urine before consuming it. Fuck outta here. | | |
| ▲ | embedding-shape 13 minutes ago | parent | next [-] | | You seem to have a wild misconception of what AUR actually. It'd be more like a public toilet anyone could urinate in, and you lick the floor right next to the toilet and then is surprised that it tastes like pee. Of course there is pee on the floor, anyone can pee there! | |
| ▲ | 14 minutes ago | parent | prev | next [-] | | [deleted] | |
| ▲ | neoCrimeLabs 9 minutes ago | parent | prev [-] | | Better analogy would blaming a supermarket that hosts an outdoor farmers market because you contracted food poisoning from a stand owned by someone else - NOT for buying food from within the supermarket itself. Meanwhile one of the other customers has norovirus and is deliberately touching everything so others contract it. |
|
|
|
| |
| ▲ | kcyb an hour ago | parent | prev | next [-] | | As an arch user, I would always skim the PKGBUILD file of AUR packages to see if they install the software they claim to install from official sources and if there's something obviously fishy. | | |
| ▲ | naturalmovement 32 minutes ago | parent | next [-] | | The BSDs prevent this by never having allowed random jamokes to upload Makefiles into the ports system. | | |
| ▲ | embedding-shape 15 minutes ago | parent [-] | | Yeah, I've prevented this locally too by never building such a platform in the first place, always the best solution! Jokes aside and just in case, you do realize ports and AUR have two very different models? Ports is more similar to the official Arch repositories, which obviously doesn't suffer from the same problem, and AFAIK, there is no BSD-equivalent of AUR. BSD is cool and useful for lots of reasons, but comparisons based on misunderstandings helps no one :) |
| |
| ▲ | echelon_musk an hour ago | parent | prev [-] | | I'd be surprised if you did it as a Debian user! |
| |
| ▲ | gchamonlive 9 minutes ago | parent | prev | next [-] | | Ask an LLM to assess the package and do a web search for you. Nobody is installing tens of packages a day, you can take a few minutes to consider what you are installing. This isn't blaming the user, it's basic digital hygiene. | |
| ▲ | t-3 an hour ago | parent | prev | next [-] | | An archlinux package build file is just a shell script. It's pretty easy to take a look and see if all the manifest info is right and it doesn't do more than ./configure; make; make install DESTDIR=$PKG or whatever. If you're building random software using random instructions from the internet and don't make sure they're not malicious, you only have yourself to blame when you catch something. Actually reading through the source files for vulns is something best left for automatic detection, checking the build script is basic. | | | |
| ▲ | clickety_clack 18 minutes ago | parent | prev | next [-] | | It’s free lines of code on the internet that you are going out of your way to run on your own machine. | |
| ▲ | embedding-shape an hour ago | parent | prev [-] | | Lets take two real and random examples, and I'll share what I'd look for: First, very easy one, we want to install Brave, so we find https://aur.archlinux.org/packages/brave-bin. All the dependencies are in the official repos already, so those we trust already, you open the downloaded PKGBUILD and you find it's downloading a binary from github.com/brave, you check to see it's the official GitHub profile/organization that you expect. Quickly scan prepare/package for anything out of place, like downloading more files not defined in "source" or whatever. In this case, "suid sandbox" stuff should make you investigate closer so you understand what that stuff does, many things related to Chrome has things like that. That AUR package also has a brave-bin.sh, so a look through that would make sense. AFAIK, everything checks out, this is literally just downloading the official release from GitHub, and extracts it into the right place, so if you trust the GitHub org/user, you can trust the PKGBUILD. The PKGBUILD also seems to be officially maintained by Brave themselves, so probably already there you can verify the AUR user and be done if you feel lax. Second example is unofficial package, https://aur.archlinux.org/packages/lmstudio-bin, maintained by noureddinex and created by MadGoat, neither which seem official at a glance. Read through the comments to see if anyone else flagged anything, seems fine so again go read the source of the package and the PKGBUILD. PKGBUILD seems standard, downloads something from "installers.lmstudio.ai" so first thing to check is if that's actually the official website, so use search engine to find official website, copy the URL of the download, verify it's the same. In this case, lmstudio.ai is the real website, but download URL on website ends up being "https://lmstudio.ai/download/latest/linux/x64" in the HTML/DOM, so use "curl -v -L $URL" to see redirects, and then we've confirmed installers.lmstudio.ai is actually what they use for official releases. Read through "prepare" and "package", both seem standard and fine, then look through the rest of the files, all of them seem fine, mostly maintenance scripts for the AUR package itself. Package seems fine as a whole, and we could install it, if we're willing to review it again on upgrades in the future. This is basically all you have to do. Writing what I did while doing it, made each "review" take maybe 5-10 minutes, and it isn't harder than that, regardless who the user is. You just need to know what to look for, and think how you'd "officially" install it anyways. And if what the PKGBUILD differs from what you'd imagine an "official install" would do, investigate if it makes sense and if not, don't install the package, maybe leave a comment for others in AUR to dive deeper. |
|
|
| ▲ | glitchc 2 hours ago | parent | prev | next [-] |
| This is great but ultimately unactionable advice, which makes it worse than useless because it sounds good at first brush but upon inspection turns out to be ridiculous. There is more code out there than is readable by any human being in their lifetime. I'm willing to bet you yourself have read <1% of the source code currently running on your computers. Does this mean you have stopped using your computer(s)? How can you trust anything that happens on them? |
| |
| ▲ | sam_lowry_ an hour ago | parent [-] | | As someone already explained in a sibling comment, Arch Linux AUR packages are simple shell scripts that download source code from upstream, apply patches and install. I review them every time I have to install from AUR. | | |
| ▲ | bawolff an hour ago | parent | next [-] | | And what if upstream is problematic? Even if it stops this particular attack, reading just the AUR file feels like fighting yesterday's war. I don't think advice to the effect of, just read the parts of the code that have been used in attacks in the past but blindly trust everything else, makes a lot of sense. | | |
| ▲ | exceptione 21 minutes ago | parent | next [-] | | > And what if upstream is problematic?
That would be the same problem for official packages. Unless I am mistaken, the difference between maintainers for the official repos versus AUR, is that the former is a trusted/vetted person. But afaik, they also just package upstream software. I doubt they will read through tons of commits to see if there might be anything nefarious there.It would be better if software would be forced to have something like a very advanced manifest file, with requested permissions. Malware has to eventually communicate with endpoints, so a declared whitelist of endpoints should definitely be part of such a manifest. Some wrapper program could set up a namespaces that allows just what is requested. Any software that requires `endpoints = [.*]` would make it obvious to the user that it is a really dangerous piece of software. Your code editor should not ship like that. The first thing I can think of in this direction is flatpak, but that is really coarse grained, with defaults that are very lax. Also flatpak-like solutions do not expose an api to the wrapped application, which is both a pro and a con (a con when you consider installing application plugins requiring further permissions). | |
| ▲ | Hackbraten 24 minutes ago | parent | prev [-] | | > And what if upstream is problematic? Then don’t install the package. It’s on you to decide whether you trust upstream or not. You’re free to use any scanner you want on the upstream sources if it makes you feel safer. (I’m currently working on a makepkg extension that allows just that.) The core and extra repos are curated, and every package maintainer is doing their due diligence (and more) to protect the users. But on the AUR, nobody is going to do that work for you. | | |
| ▲ | exceptione 19 minutes ago | parent [-] | | > doing their due diligence (and more) Do you know how? This sounds like an unpractical high amount of time consuming task. | | |
|
| |
| ▲ | Slothrop99 28 minutes ago | parent | prev [-] | | If I understand, the malware is installed via npm from some subshell. But yeah I totally believe you have a detailed review of every package-lock.json and etc. |
|
|
|
| ▲ | -mlv 2 hours ago | parent | prev | next [-] |
| I recall the AUR always being touted very highly as some great advantage for Arch as a linux distro, unfortunately this convenience has also come with a price. It's crazy that all it takes to become a maintainer of a package is to flag it as orphaned, wait 2 weeks for the original maintainer to fail to respond because they're on a holiday, and BAM! - the attacker can gets assigned as a maintainer and can now ship spicy updates. |
| |
| ▲ | dualvariable 5 minutes ago | parent [-] | | That is a terrible way to run a package repo in this day and age. Maintainers need to have some level of vetting, and should own a repo or three for a while to establish a track record, before they get to blast out contributions to 100 of them without any review. |
|
|
| ▲ | dbgobrrr 4 hours ago | parent | prev | next [-] |
| > users being warned multiple times that it's vital to review anything before you install it, compared to the official repositories. I think this stance should be re-evaluated. Arch Linux developers are doing a fantastic job and I am personally thankful to them - this is not in any way critical of them.
And while I don't see an easy solution here, I just feel that the time of "warning users" is long gone with how much supply-chain attacks are ramping up these days. Some other controls could at least alleviate the problem. Perhaps some form of peer-review and grace period before publishing could help here? |
| |
| ▲ | anon7000 4 hours ago | parent | next [-] | | Idk. Arch does have official repositories that are actively maintained and vetted. AUR is for the vast amounts of random software that isn’t popular or important enough to be officially maintained. I’m not sure how to find a balance. One reason to use Arch is to always have the latest software, especially if you’re gaming. (Need to run very recent kernels, GPU drivers, and DEs to support new graphics cards.) So that’s very different from other stable LTS distros which carefully pick the package updates they incorporate. Anyways, I do agree package cooldowns and such make a lot of sense. Package managers should be pulling out the stops on all the free controls they can implement. I can understand why anything requiring compute or maintainer time is a non-starter. (Sidebar: I don’t feel the same way about npm. Microsoft can afford to run malware scanners and analysis tools on npm packages.) https://wiki.archlinux.org/title/Official_repositories | | |
| ▲ | beej71 2 hours ago | parent [-] | | There's some big stuff in AUR like the binary VS Code and Chrome, fwiw. | | |
| ▲ | newsoftheday 2 hours ago | parent | next [-] | | I'm on Kubuntu and I install VS Code using Microsoft's repo and Chrome using Google's repo. Also I do Wine and Docker using their own repos. I can't imagine VS Code or even Chrome being put into the mainstream Kubuntu/Ubuntu repos nor why such a burden should ever be shifted to Canonical. | | |
| ▲ | vlovich123 2 hours ago | parent | next [-] | | That’s because you’re using something those companies officially support. Is your argument everyone running Linux needs to be on a Debian-based or Fedora-based distribution? Btw the official “vscode on Linux” instructions literally point to the community maintained AUR (same for nix). The truth of the matter is the AUR is poorly maintained structurally, regardless of what companies officially support. Things like letting arbitrary people unilaterally take over orphaned packages is horrendously stupid. | | | |
| ▲ | tjoff 2 hours ago | parent | prev [-] | | Since you are using the official repos thats not an issue. The issue is when the package creator is some rando on the internet. |
| |
| ▲ | drnick1 an hour ago | parent | prev [-] | | I wouldn't those programs. You have the corresponding FOSS versions (code-oss and chromium) in the main repository. Chrome is basically spyware. |
|
| |
| ▲ | mcv 2 hours ago | parent | prev | next [-] | | It's definitely a sign that popular packages should be moved from AUR to the official repository. I've got some stuff from AUR simply because it's something I need and that's where it is, and I never really verify it's safe; I just trust it blindly. Clearly a bad idea. I guess I should learn to avoid AUR and when I do use something from it, we more aware it's an exception and I need to check it more thoroughly. That's something I normally only do only for stuff that's neither from AUR nor the official repo. | | |
| ▲ | axus 2 hours ago | parent [-] | | How much work is created (and for who) when a package is moved to the official repository? |
| |
| ▲ | thewebguyd an hour ago | parent | prev | next [-] | | > Some other controls could at least alleviate the problem The biggest one I'd suggest they change immediately is remove the ability for anyone to just take over an orphaned package. That's a crazy policy, to me. It should require you to fork it & resubmit, not take over the original. Then they can go through and do purges of orphaned packages that are beyond a certain age. | |
| ▲ | embedding-shape 4 hours ago | parent | prev [-] | | Personally, what you suggest would defeat the purpose of the AUR, and what you describe is already applied to the official packages. If you want only the safe and stable stuff, don't use random packages from AUR :) |
|
|
| ▲ | cosmic_cheese 2 hours ago | parent | prev | next [-] |
| I think it’s a great argument for some combo of immutable system files, installation of packages as user-local by default (making elevated manager privileges unnecessary), and components and programs being given as little privilege as possible by default. There’s bits and pieces of this in place with immutable distros, Wayland, and Flatpak but notable holes remain. The biggest one is that sandboxing is tied to the package format which I think is a mistake. Sandboxing and access permissions should be a system-level thing so even arbitrary binaries can’t easily slip through the cracks. This wouldn’t fix the problem entirely, but it’d greatly limit the blast radius and make users of the distribution a less juicy target. |
|
| ▲ | mcv 3 hours ago | parent | prev | next [-] |
| It's still surprising someone was able to infect so many packages. But I admit I don't really know how AUR works. Can anyone with access simply update anything? Do packages not have owners who check contributions? |
| |
| ▲ | jorams 2 hours ago | parent | next [-] | | Packages in the AUR have some number of maintainers. When a maintainer no longer wants to maintain the package they can disown it, and when all maintainers do so the package becomes orphaned. An orphaned package can then be adopted by any user. At any time there's a large number of orphaned packages in the AUR, and the attacker(s) targeted those. | | |
| ▲ | Slothrop99 22 minutes ago | parent [-] | | Obviously way too easy to take over these 'orphaned' packages if it can be done in an automated manner. GitHub/NPM/etc doesn't have this issue, they need to stop equivicating. Sounds more like an anonymous FTP site. |
| |
| ▲ | embedding-shape 2 hours ago | parent | prev [-] | | > But I admit I don't really know how AUR works It's basically GitHub (in terms of "User's generated content") but tailored and specific to Arch/Arch-derived distributions. Packages have owners, but everything is very "freeform" in general on the AUR. It wasn't uncommon you could be added as a maintainer by just sending a mail to the current maintainer, since it's basically "Hey let me contribute to your repository" (simplified), today people keep track a bit better and avoided that I've seen. But still, it's on a individual basis. Just like GitHub, AUR is completely devoid of peer-reviews, users uploads their own PKGBUILD and share with others, and the expectation is that users review stuff before they install it, just like on GitHub, or just like on the internet in general. | | |
| ▲ | tempest_ 2 hours ago | parent [-] | | Yeah, the AUR is basically build scripts for github repos or a link to someones pre-built binary. It suffers from all the same problems that the underlying infrastructure suffers from. You could very easily argue that since github/npm/cargo/<your package manager of choice> has a supply chain issue so does the AUR. |
|
|
|
| ▲ | Gud 30 minutes ago | parent | prev | next [-] |
| So easy to say. For a distro this popular I’m surprised how much is in unofficial repos(AUR) and not the official ones. |
|
| ▲ | cge 4 hours ago | parent | prev [-] |
| >`rua` and other similar CLIs make it really easy to review the packages before installing them from AUR too, and if you are doing banking on the same computer, you really have no excuse not to review the software you depend on. What review should users do? It appears that, in some cases, these were adding npm as a dependency and installing atomic-lockfile, and in others, these were adding bun and installing js-digest. This was a mass attack against mostly low-use/orphaned/etc packages where maintainership was taken over or a different user uploaded a new version (itself a very simple, low-notice, low-oversight process), and many of the packages clearly had no connection to Node.js at all, so a user who knew enough about each package, and knew what npm was, might notice the oddity in the package, if they reviewed every line of the PKGBUILD, then reviewed the install scripts. But legitimate AUR packages for packages connected to Node.js also use npm, for example, and at times, use npm install. A user would have to be familiar enough with Archlinux's build system to understand the difference between each part (eg, build() vs install scripts). They'd have to review every PKGBUILD, every install script, and every patch of every AUR package they install. For packages that actually do use npm/bun, they'd have to be familiar enough to know what uses were legitimate and what uses were not, and might have to be up to date on compromised dependencies. And this is still considering a mass attack that was not particularly hidden. Attacks could be made much harder to find. Asking a user to safely review an AUR package essentially seems like it is asking them to fully understand not just the build process, and programming language, of the upstream package, but also all details of Archlinux's build system. They need to learn how to do this with, as far as I can tell, no real guidance: AUR itself, and the wiki's page on it, just warn that users should carefully review the PKGBUILD and install scripts, without giving any substantial guidance on what to look for or how to review anything. The warnings feel much more like liability-reduction than an attempt to be helpful. At that point, what is AUR actually offering that installing the upstream package isn't? It feels like the suggested 'safe' way of using AUR would make it just as much work for the user, and require just as much knowledge, as either installing the upstream directly, or even making a package for it. There is perhaps some room for LLM analysis here: Opus 4.8, Kimi latest, and even Qwen3.6 27B quickly catch at least the current round of malicious packages in my tests. But a motivated attacker could make that more difficult, or dangerous. And a user could also just have those models install the upstream package, with less risk. If they want to use pacman for management, they could likely even have those LLMs generate a package, with less risk. |
| |
| ▲ | SCdF 3 hours ago | parent | next [-] | | Not all tools are made for inexperienced people. Not everything is idiot proof. This is OK! In my experience using the AUR: 1. when you first install the package you can read the build script (and you should). These are in a very standard structure, and if the one you are reading is weird and complicated consider not installing it. No one is forcing you to. Almost every build script I read just downloads a build from a tagged github release. 2. when you get an upgrade you are shown the diff. For almost every AUR package I use this is literally just changing the $VERSION variable and the subsequent $HASH of the download. It is trivial to see if anything (in the AUR script) is happening that is sneaky. It's really not that scary. And if it's considered scary, there are literally dozens of other linux distros (not to mention Windows or MacOS) you could be using instead. | | |
| ▲ | cge 2 hours ago | parent [-] | | I'm not asking for myself. Yes, I understand the build process, and know what to check. I've also written PKGBUILDs before and have had packages in AUR. I'm sure you understand it too, as well as many people here. But many users don't. As far as I can tell, there is very little actual guidance about what to look for, not even to the extent of what you explain here, on the wiki. Users are told to check the PKGBUILD, and warned about AUR-helpers being dangerous, but in practice, it seems AUR-helpers are widely used, and many users likely just click through PKGBUILDs they won't be able to understand. And, again, this attack was a relatively obvious one. Other attacks could be made much harder to notice. Worse, distributions like CachyOS are being broadly promoted to a user base who can't be reasonably expected to check over AUR packages themselves. Unlike ArchLinux, those sometimes do seem to promote AUR-helpers. In some cases, those distributions are apparently including AUR-sourced packages in their actual repositories. Questions about these topics often result in typical Archlinux hostility. And in some sense, that's understandable: there are other distributions that most users should be using, and the frustration of people using Archlinux who shouldn't be is wearing. It is nice to have a distribution that offers the flexibility and space for experimentation that Archlinux does. It's one of the reasons I use it on some of my machines, while at the same time recommending against most others using it. To some extent, this is just a wide cultural difficulty with Linux, and there isn't a clear answer. On one hand, you want enough gatekeeping to keep users away from potentially dangerous systems they have no interest in understanding, and that they'll rely on without understanding in situations where they shouldn't. On the other, you don't want to keep out users who are interested in learning. | | |
| ▲ | SCdF 43 minutes ago | parent | next [-] | | So 100%, I agree that it's highly dangerous that the distro's the next tranche of people unfamiliar with linux (gamers dissatisfied with Windows) move over with, are based on hecking Arch. It feels like a massive upcoming footgun. I think the issue is those repos being based on Arch though, not Arch itself. | |
| ▲ | embedding-shape an hour ago | parent | prev [-] | | > But many users don't. As far as I can tell, there is very little actual guidance about what to look for, not even to the extent of what you explain here, on the wiki. Users are told to check the PKGBUILD, and warned about AUR-helpers being dangerous, but in practice, it seems AUR-helpers are widely used, and many users likely just click through PKGBUILDs they won't be able to understand. That's where the whole "Not everything is idiot proof" thing comes in. The distribution is pushing the responsibility on users to vet what they do, across everything, not just installing AUR packages, so naturally this also applies to installing 3rd party software. If you don't know what to look out for, maybe don't install stuff you don't know what it will do. Sucks as an answer if the distribution is looking to "Make it as easy as possible for every user" but that's not Arch Linux ultimately, it does ask you to care about things like that, if you don't want to, it might not be the OS for you. And that's of course OK and not something bad. I know this sounds like gatekeeping, but it's more of a culture difference than anything, and probably not even a problem. > distributions like CachyOS are being broadly promoted to a user base who can't be reasonably expected to check over AUR packages themselves That'd suck, but not the impression I've got from CachyOS. There is a FAQ entry that seems to get the gist of AUR correct, that it's basically random software from random users, nothing is assumed safe: https://wiki.cachyos.org/cachyos_basic/faq/#aur-safety-pract... > this is just a wide cultural difficulty with Linux, and there isn't a clear answer I don't think "a answer" is needed here. What some read as "gatekeeping" and "Arch Linux hostility" is in reality just a difference of culture, and that's not a bad thing. Some distributions are for making things "easy for newcomers" or some focus on "best UI and UX" and others "most barebones for experienced users to setup themselves", and all of them as valid as the other. The tricky (and slow/time consuming) part is that you have to try a bunch before you find which one(s) aligns with your own perspectives and ideas. Ultimately, users can learn best together with distributions that align with how they think and want to work. |
|
| |
| ▲ | embedding-shape 2 hours ago | parent | prev | next [-] | | > What review should users do? The same sort of review you'd do if a stranger sends over a project and says "compile and run this" and you actually want whatever it's supposed to do, so you start looking through it. > It appears that, in some cases, these were adding npm as a dependency and installing atomic-lockfile, and in others, these were adding bun and installing js-digest That's very suspicious if the package you're about to install doesn't seem to actually need those things. Since "AUR === random strangers on the internet with zero trust", then you need to pay attention to those sort of things. > Asking a user to safely review an AUR package essentially seems like it is asking them to fully understand not just the build process, and programming language, of the upstream package, but also all details of Archlinux's build system. Yes, indeed. Same as if you come across a random C++ project on GitHub with 2 stars, do you just pull down the source and compile willy-nilly? Probably not, you carefully inspect it can actually do what you want, how it does it, and so on. AUR is basically like GitHub in this case, zero peer-reviews and users fully responsible for whatever they install. > At that point, what is AUR actually offering that installing the upstream package isn't? PKGBUILDs, so you don't have to write them yourself. Not more, not less, just a central place for random strangers to share PKGBUILDs that may or may not work for others. | | |
| ▲ | beej71 2 hours ago | parent [-] | | I hear you, but consider xz. I'm a professional with decades of experience and I'd be lying if I said I'd have caught that. How long would an audit have taken, realistically? You're not wrong, but I don't think the GP is, either. | | |
| ▲ | embedding-shape 2 hours ago | parent [-] | | Yeah, xz found its way to official repos, that's way more disturbing and scary that this (faux) issue about malware on AUR/user-generated websites. I don't review updates to official packages on Arch, I don't think most people have time to do so, it's just way too much. Things change when we talk about AUR though, as those aren't vetted, those you need to take the time to review, otherwise you're basically installing completely unreviewed software from strangers on the internet. |
|
| |
| ▲ | yjftsjthsd-h 4 hours ago | parent | prev [-] | | > At that point, what is AUR actually offering that installing the upstream package isn't? It produces package files that pacman can use. Sure, you can curl|sh or whatever, but that's a good way to litter stuff all over that you can't track or uninstall cleanly. |
|
