this post was submitted on 14 Jun 2026
141 points (97.3% liked)

Linux

14103 readers
184 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
141
The security situation with the Arch Linux AUR got a lot worse (www.gamingonlinux.com)
submitted 1 week ago by cm0002@europe.pub to c/linux@programming.dev
40 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] BB_C@programming.dev 1 points 1 week ago

Unless every single dependency is version locked

Which is the case with Cargo.lock. You can even lock the toolchain itself with rust-toolchain.toml. There a reason why uv developers knew what good practices to implement in their quest to fix python tooling 😉.

one update or maintainer change can silently compromise the whole chain.

That's another failed analogy. There is no orphaning and total randos taking over in crates.io (same for npm/pypi I would assume). The owner himself must hand over or give permissions to a specific person/account. That's another implicit chain of trust that doesn't exist in AUR.

Nothing is fail-proof of course, as the xz incident showed.

I don't follow npm incidents closely, but the cases I saw involved the legit owners/maintainers themselves, who were either compromised, or genuinely doing the compromising themselves 🤣.

Arch is a single rolling release

This is largely irrelevant to the discussion.

hit Rust and PyPi in a similar way.

It won't be similar for the all the reasons stated.

And a strict “version locking” ethos can lead to security problems down the line, too.

That's where language implementation compat guarantees, audit tooling (cargo audit et al) and good tooling in general, together with a good semver story in the ecosystem itself, ALL come together to make this largely not a problem.

This works well enough in the crates.io ecosystem.

From what I hear, npm has the audit tooling part covered. But it's failure in all the other aspects that's making the situation unattainable.

As with pypi, there is the pain point of python minor release updates breaking shit all the time. But beyond that, I don't know enough to give an informed take (other than that uv is a blessing for those who don't want to get their hands really dirty in that ecosystem).

And again, these details and differences are very relevant.

It’s easy to sneak some malware downloader into a long Rust dependency chain, even if it’s technically all open code.

As of now, the number of successful supply chain attacks (where a chain of real dependants exists) in the crates.io system is ZERO.