this post was submitted on 16 Jun 2026
50 points (100.0% liked)

libre

10208 readers
3 users here now

Welcome to libre

A comm dedicated to the fight for free software with an anti-capitalist perspective.

The struggle for libre computing cannot be disentangled from other forms of socialist reform. One must be willing to reject proprietary software as fiercely as they would reject capitalism. Luckily, we are not alone.

libretion

Resources

  1. Free Software, Free Society provides an excellent primer in the origins and theory around free software and the GNU Project, the pioneers of the Free Software Movement.
  2. Switch to GNU/Linux! If you're still using Windows in $CURRENT_YEAR, take Linux Mint for a spin. If you're ready to take the plunge, flock to Debian and design your dream system!

Rules

  1. Be on topic: Posts should be about free software and other hacktivst struggles. Topics about general tech news should be in the technology comm or programming comm. That doesn't mean all posts have to be serious though, memes are welcome!
  2. Avoid using misleading terms/speading misinformation: Here's a great article about what those words are. In short, try to avoid parroting common Techbro lingo and topics.
  3. Avoid being confrontational: People are in different stages of liberating their computing, focus on informing rather than accusing. Debatebro nonsense is not tolerated.
  4. All site-wide rules still apply

Artwork

founded 5 years ago
MODERATORS
 

Nearly 2000 packages affected now.

I'm starting to become sceptical of pacakge managers as a concept.

you are viewing a single comment's thread
view the rest of the comments
[–] dustcommie@hexbear.net 7 points 2 weeks ago* (last edited 2 weeks ago)

As far as I can tell this only affects AUR(which you have to go out of your way to access and you are encouraged to review all the build scripts, although in practice I suspect many people are complacent or not knowledgeable enough), not the official repos. I am guessing the official repos for gentoo and arch have similar security, but if you go and get unnoficial/user ebuilds for gentoo you likely run into many of the same situations (although I don't really know much about the gentoo ecosystem).

It is also worth pointing out Arch probably has a much larger target on its back since it is much more popular and there are many distro's based off of it(which tends to attract the less knowledgeable users, who are primed targets for just randomly getting AUR without thinking)

Edit: For gentoo, it looks like GURU is more secure and has trusted users who review, but in practice I don't know how well they do review or if they have had problems of people trying to submit malicious scripts. Also, it looks like GURU is considered more "official" than AUR so they are not really direct comparisons but I suspect they play similar roles in the community.