this post was submitted on 14 Jun 2026
141 points (97.3% liked)

Linux

14113 readers
194 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
141
The security situation with the Arch Linux AUR got a lot worse (www.gamingonlinux.com)
submitted 1 week ago by cm0002@europe.pub to c/linux@programming.dev
40 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[โ€“] dudesss@lemmy.ca 1 points 1 week ago (1 children)

What about Aura https://aur.archlinux.org/packages/aura

[โ€“] bitfucker@programming.dev 1 points 1 week ago* (last edited 1 week ago)

Edit: Sorry I realize my rambling didn't answer your question. My suggestion is to not use aura. I do not see anywhere on their repo about their trust model or if they just do it like yay/paru. This is also why I recommend aurto and not aurutils. People would just skip the diff with aurutils.

The thing is, aurto is not the helper. The helper is aurutils. aurto is just the local repo manager that adds timer to auto-update and some QoL features. But to add packages to that local repo, you need to add the maintainer to the trust list. That means the current attack of adopting orphaned / unmaintaned packages is moot. The maintainer change means the package are kicked out and not tracked anymore by aurto. You can still re-add them after you've confirmed that they're safe.

That being said, aurto do have issue. They trust the PKGBUILD of the author/maintainer so if the maintainer got hacked or gone rogue, it will not protect you. Same as with every other package manager in that case.