495
Personally I'm grateful to not need 3rd party packages (lemmy.world)
submitted 2 days ago by TheTwelveYearOld@lemmy.world to c/linuxmemes@lemmy.world
75 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] Gyroplast@pawb.social 94 points 1 day ago

TL;DR: Don't think of the AUR as a package source, but as of an only mildly moderated, but ultimately free and open, sharing platform for PKGBUILDs, primarily useful for (self-)packagers, not necessarily non-technical end users.

Before the AUR, you had people individually hosting their PKGBUILDs anywhere, sometimes on GitHub or the BBS (yeah, it's been a while), sometimes along with a repository URL you could add to your pacman.conf to install packages right away, and it was glorious. I didn't have to write a working PKGBUILD myself from scratch, and I could decide if I trusted that particular packager to not screw me sideways with a pre-built package. An officialized "Trusted User" (TU) role emerged from this idea, which has recently been renamed to Package Maintainer (PM). This is fundamentally still how the AUR works, it just became much bigger, and easier to search for particular software. Packagers gift to you their idea of how software should be packaged, for you to expand upon, take inspiration from, or learn, or use as-is if you determine it to be good for your purpose.

The AUR is ultimately a great resource for packagers, and still useful for users, but "true end users" get the extra repository, and community, kind of, before that, and should try to avoid the AUR if they can, or at least be prepared to put in effort to establish trust, or get help.

A handful of Package Maintainers are manually adopting and subsequently vetting for sufficiently popular packages to move them from the AUR to the official extra repository, which is deemed safe to use as-is, on a best-effort basis. Obviously, this is a bottleneck, as it is not feasible for the few volunteering PMs to adopt and maintain 10k+ AUR packages and be held to any quality standard. That's why "you are on your own" with the AUR.

On the positive side, there's a voting system to determine package popularity. AUR packagers have a public list of maintained packages, and a comprehensive git commit history. Establishing trust is still crucial, and I feel hard pressed to name a reasonably popular/useful package that isn't already in extra or has been maintained in the AUR for a long time.

The biggest risk, IMHO, for malware getting slipped into a package is orphaning a popular package, and having it adopted by a malevolent user. This is something I personally look out for. If the maintainer changed, I make sure to check the commit history to see what they did. Most of the time it's genuine fixes, but if anything is changed without a damn good and obvious reason, hit up the AUR mods and ask for help. This is how malware is spotted. Also, typically only the version is bumped in a PKGBUILD on an update, which is a change I feel safe waving through, too. If the download URI changes, or patches are added, I do look at them to determine the reason, and if that isn't explained well enough to understand, that's a red flag. Better ask someone before running this.

source: personal involvement in Arch since 2002

[-] 2deck@lemmy.world 5 points 1 day ago

Thanks for the information!

this post was submitted on 02 Aug 2025
495 points (100.0% liked)

linuxmemes

26544 readers
1611 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
    • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn, no politics, no trolling or ragebaiting.
    • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
    • 5. ๐Ÿ‡ฌ๐Ÿ‡ง Language/ัะทั‹ะบ/Sprache
  • This is primarily an English-speaking community. ๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ‡บ๐Ÿ‡ธ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
    • 6. (NEW!) Regarding public figuresWe all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.
  • Keep discussions polite and free of disparagement.
  • We are never in possession of all of the facts. Defamatory comments will not be tolerated.
  • Discussions that get too heated will be locked and offending comments removed.
    • ย 

    Please report posts and comments that break these rules!

    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 2 years ago
    MODERATORS
    poopsmith@lemmy.world
    zephyr@lemmy.world
    rtxn@lemmy.world