this post was submitted on 12 Jun 2026
175 points (99.4% liked)

Linux

14347 readers
403 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] somegeek@programming.dev 1 points 1 month ago (5 children)

What do you mean by "tying AUR updates to system updates" ?

[–] RepleteLocum@lemmy.blahaj.zone 5 points 1 month ago (4 children)

As in updating the AUR when you update your system packages, which come from known sources.

[–] hoppolito@mander.xyz 6 points 1 month ago* (last edited 1 month ago) (3 children)

And just to be very explicit why this is an issue: each time the package is upgraded through an automated update, the PKGBUILD may change (e.g. to adapt to different dependencies, file structure, etc introduced with new app version).

That also means an AUR maintainer can smuggle in malware with any of those updates, even if you checked the original PKGBUiLD when you installed. And, anyone can request taking over maintenance for unmaintained packages, so it can even happen if the original maintainer was benevolent.

Always check PKGBUILD files on upgrade, even if just a glance. If I remember correctly yay had a function to always show you PKGBUILD diffs before updates, not sure if that was automatically enabled.

[–] jcarax@beehaw.org 2 points 1 month ago

Yeah, it's never sat very well with me. I've gone through cycles where I'll use a good bit of AUR, to none at all. I had been using a handful of things, but realized that almost all of it was Python stuff that I could more safely install with pip or uv, so I've migrated all of that. The one thing left is Manuskript, and it hardly gets updates anyway.

load more comments (2 replies)
load more comments (2 replies)
load more comments (2 replies)