Linux

14103 readers

194 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

141

The security situation with the Arch Linux AUR got a lot worse (www.gamingonlinux.com)

submitted 1 week ago by cm0002@europe.pub to c/linux@programming.dev

40 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] bitfucker@programming.dev 1 points 1 week ago* (last edited 1 week ago)

Edit: Sorry I realize my rambling didn't answer your question. My suggestion is to not use aura. I do not see anywhere on their repo about their trust model or if they just do it like yay/paru. This is also why I recommend aurto and not aurutils. People would just skip the diff with aurutils.

The thing is, aurto is not the helper. The helper is aurutils. aurto is just the local repo manager that adds timer to auto-update and some QoL features. But to add packages to that local repo, you need to add the maintainer to the trust list. That means the current attack of adopting orphaned / unmaintaned packages is moot. The maintainer change means the package are kicked out and not tracked anymore by aurto. You can still re-add them after you've confirmed that they're safe.

That being said, aurto do have issue. They trust the PKGBUILD of the author/maintainer so if the maintainer got hacked or gone rogue, it will not protect you. Same as with every other package manager in that case.