this post was submitted on 02 Aug 2025
522 points (98.5% liked)

linuxmemes

27029 readers
807 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn, no politics, no trolling or ragebaiting.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
  • 5. πŸ‡¬πŸ‡§ Language/язык/Sprache
  • This is primarily an English-speaking community. πŸ‡¬πŸ‡§πŸ‡¦πŸ‡ΊπŸ‡ΊπŸ‡Έ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
  • 6. (NEW!) Regarding public figuresWe all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.
  • Keep discussions polite and free of disparagement.
  • We are never in possession of all of the facts. Defamatory comments will not be tolerated.
  • Discussions that get too heated will be locked and offending comments removed.
  • Β 

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 2 years ago
    MODERATORS
     
    top 50 comments
    sorted by: hot top controversial new old
    [–] Gyroplast@pawb.social 99 points 3 weeks ago (1 children)

    TL;DR: Don't think of the AUR as a package source, but as of an only mildly moderated, but ultimately free and open, sharing platform for PKGBUILDs, primarily useful for (self-)packagers, not necessarily non-technical end users.

    Before the AUR, you had people individually hosting their PKGBUILDs anywhere, sometimes on GitHub or the BBS (yeah, it's been a while), sometimes along with a repository URL you could add to your pacman.conf to install packages right away, and it was glorious. I didn't have to write a working PKGBUILD myself from scratch, and I could decide if I trusted that particular packager to not screw me sideways with a pre-built package. An officialized "Trusted User" (TU) role emerged from this idea, which has recently been renamed to Package Maintainer (PM). This is fundamentally still how the AUR works, it just became much bigger, and easier to search for particular software. Packagers gift to you their idea of how software should be packaged, for you to expand upon, take inspiration from, or learn, or use as-is if you determine it to be good for your purpose.

    The AUR is ultimately a great resource for packagers, and still useful for users, but "true end users" get the extra repository, and community, kind of, before that, and should try to avoid the AUR if they can, or at least be prepared to put in effort to establish trust, or get help.

    A handful of Package Maintainers are manually adopting and subsequently vetting for sufficiently popular packages to move them from the AUR to the official extra repository, which is deemed safe to use as-is, on a best-effort basis. Obviously, this is a bottleneck, as it is not feasible for the few volunteering PMs to adopt and maintain 10k+ AUR packages and be held to any quality standard. That's why "you are on your own" with the AUR.

    On the positive side, there's a voting system to determine package popularity. AUR packagers have a public list of maintained packages, and a comprehensive git commit history. Establishing trust is still crucial, and I feel hard pressed to name a reasonably popular/useful package that isn't already in extra or has been maintained in the AUR for a long time.

    The biggest risk, IMHO, for malware getting slipped into a package is orphaning a popular package, and having it adopted by a malevolent user. This is something I personally look out for. If the maintainer changed, I make sure to check the commit history to see what they did. Most of the time it's genuine fixes, but if anything is changed without a damn good and obvious reason, hit up the AUR mods and ask for help. This is how malware is spotted. Also, typically only the version is bumped in a PKGBUILD on an update, which is a change I feel safe waving through, too. If the download URI changes, or patches are added, I do look at them to determine the reason, and if that isn't explained well enough to understand, that's a red flag. Better ask someone before running this.

    source: personal involvement in Arch since 2002

    [–] 2deck@lemmy.world 6 points 3 weeks ago

    Thanks for the information!

    [–] Technus@lemmy.zip 72 points 3 weeks ago (8 children)

    Does anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?

    [–] tomkatt@lemmy.world 54 points 3 weeks ago* (last edited 3 weeks ago)

    I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.

    [–] Overspark@feddit.nl 7 points 3 weeks ago

    Yeah, paru makes it pretty easy to do, and can also build packages in a chroot, adding some extra security.

    [–] JackbyDev@programming.dev 7 points 3 weeks ago (3 children)

    Sort of, but I don't know what I'm looking for. It would be nice if folks explained what a bad one looks like.

    [–] prole@lemmy.blahaj.zone 6 points 3 weeks ago* (last edited 3 weeks ago)

    Look for comments that say "# THIS IS MALWARE"

    load more comments (2 replies)
    [–] nesc@lemmy.cafe 4 points 3 weeks ago

    I do, also most aur-helpers skip or make reviewing a chore.

    [–] iAvicenna@lemmy.world 2 points 3 weeks ago (1 children)

    at the risk of getting down voted I wonder if an LLM would spot it

    load more comments (1 replies)
    [–] 0xD@infosec.pub 2 points 3 weeks ago

    Also with paru. I mainly check that the download shows the correct URL and does standard stuff with it.

    load more comments (2 replies)
    [–] DonutsRMeh@lemmy.world 51 points 3 weeks ago (4 children)

    I smell something fishy going on. I've been using the AUR for a long time and I'm now just hearing of malware?

    [–] Zikeji@programming.dev 91 points 3 weeks ago (2 children)

    There's been malware in the past, not only that - AUR is user submitted. It's in the name. They warn you to double check what you're installing. It is functionally similar to running a random installer you found on GitHub.

    It seems like these instances are being intentionally blown out of proportion, but I don't see what there is to gain by doing that.

    [–] kadup@lemmy.world 70 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

    It is functionally similar to running a random installer you found

    So basically how Windows users have been acquiring their software for the last 30 years.

    [–] dan@upvote.au 5 points 3 weeks ago (3 children)

    Technical users that are comfortable at a command line often use WinGet these days. It works in Windows Sandbox too; you just need to manually install it.

    [–] Overspark@feddit.nl 18 points 3 weeks ago (3 children)

    WinGet is nothing more than a list of random packages on Github.

    [–] JackbyDev@programming.dev 8 points 3 weeks ago (1 children)

    Don't forget they stole it from the app get and refused to hire its dev.

    [–] AdamBomb@lemmy.sdf.org 3 points 3 weeks ago

    Facts. It’s also the worst package manager on Windows anyway.

    load more comments (2 replies)
    [–] AdamBomb@lemmy.sdf.org 7 points 3 weeks ago

    My ranking of package managers on Windows:

    1. Chocolatey: the oldest and has the most packages. Packages are AV scanned. Enterprisey.
    2. Scoop: Somewhat fewer packages, but easier to package for. More technical focus. FOSSy.
    3. Winget: fewest packages, and Microsoft literally stole it from its creator. I’m not aware of any reason to use winget over choco or scoop.
    load more comments (1 replies)
    [–] DonutsRMeh@lemmy.world 7 points 3 weeks ago (1 children)

    I don't want to say stupid things, but I have so many theories. I check the shit out of a package before installing it. I even go to the GitHub page and make sure of things.

    load more comments (1 replies)
    [–] possiblylinux127@lemmy.zip 43 points 3 weeks ago (2 children)

    The AUR is made up of user packages

    It isn't crazy that malware made it in. It is very much a "user at your own risk." Packages are reviewed but sometimes things slip in.

    load more comments (2 replies)
    [–] Shareni@programming.dev 24 points 3 weeks ago

    It's an obvious vector for malware, arch by default doesn't come with it, and users have been warned the entire time to check pkgbuild. There's nothing fishy, it's just that arch has enough users to be worth it to hit it.

    load more comments (1 replies)
    [–] Allero@lemmy.today 30 points 3 weeks ago (1 children)

    Some people ask me why I use Flatpak on Arch. This is one of the reasons.

    [–] mazzilius_marsti@lemmy.world 2 points 3 weeks ago (10 children)

    does the upgrade pacman -Syu also upgrade Flatpak packages? Or you have to do them separately?

    [–] Allero@lemmy.today 7 points 3 weeks ago* (last edited 3 weeks ago)

    Separately, through flatpak update.

    Or together with everything through other tools. I go with pamac, it can be used both in CLI and GUI and update and install everything at once - repos, AUR and Flatpak.

    load more comments (8 replies)
    [–] iopq@lemmy.world 27 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

    I use NixOS so everything is second party

    [–] Shareni@programming.dev 6 points 3 weeks ago (4 children)

    And every package is added and maintained by volunteers.

    [–] Sxan@piefed.zip 6 points 3 weeks ago* (last edited 3 weeks ago)

    A vast number of volunteers, far exceeding Γ°e proportional popularity of Nix. It's as if every Nix user submits a package.

    But Nix hasn't achieved Γ°e popularity Arch has, yet, so it's probably flying under Γ°e attacker radar.

    load more comments (3 replies)
    [–] Integrate777@discuss.online 3 points 3 weeks ago* (last edited 3 weeks ago)

    I've also used nixos but not arch. Is the AUR also volunteer maintained? How do they differ?

    [–] pedz@lemmy.ca 22 points 3 weeks ago (15 children)

    I've been using Debian for years and prefer deb based systems, but recently I messed a bit around with Manjaro, and the amount of packages only available from the AUR is, erm, remarkable.

    [–] prole@lemmy.blahaj.zone 4 points 3 weeks ago (1 children)

    At risk of repeating myself from another comment here: you can access the AUR from other distros by making an Arch distrobox. It's actually super easy.

    [–] pedz@lemmy.ca 10 points 3 weeks ago

    So, you can install malware on other distros from the AUR?

    Usually if the software I want is not on debian's repos, I'll try to get the source and compile it, or last resort, use an appimage. I'm not really fond of mixing different installation methods coming from different distros, but... it's good to know.

    [–] krakenfury@lemmy.sdf.org 2 points 3 weeks ago

    Debian and Ubuntu based distros have PPAs which serve the same purpose as the AUR.

    load more comments (13 replies)
    [–] Maragato@lemmy.world 13 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

    Aur is probably the main reason why many people use Arch and derivatives. However, many users are unaware that aur is not an official Arch repository and that, as you say, you are the one who has to monitor the pkgbuilds of each installed aur package. Normally the most used aur packages tend to generate more confidence but that does not prevent that package to include malicious software in a version change and having root access to the system can take control of certain system services. That's why I always recommend not using Aur and that's why I've always found Manjaro to be a great distribution, as it retains packages for a few days to check them and discourages the use of aur. Any security measure is too little and that's why any security tool you can configure is advisable. In a rolling distribution where new code is constantly entering the system, it is essential to have selinux and secureboot enabled.

    [–] prole@lemmy.blahaj.zone 5 points 3 weeks ago* (last edited 3 weeks ago)

    Aur is probably the main reason why many people use Arch and derivatives.

    FYI, non-Arch distros can use AUR with an Arch distrobox. So people shouldn't be using Arch just for AUR.

    Being in a distrobox may or may not protect your system from potential malware, that I cannot say.

    [–] yardratianSoma@lemmy.ca 4 points 3 weeks ago

    It used to be my reason too, but after breaking my system by my own hand many times, I realized the aur isn't worth the effort, for me at least.

    I'd rather build from source, for software that isn't maintained in the repos.

    [–] germanatlas@lemmy.blahaj.zone 12 points 3 weeks ago* (last edited 3 weeks ago)

    By user "Forsen on top" fucking KEK

    Also yeah it’s chrome, obviously it’s malware

    [–] Kalcifer@sh.itjust.works 9 points 3 weeks ago

    Is this post intended to be a sort of outcry around the idea that there's a risk of malware being in the AUR?

    [–] devilish666@lemmy.world 9 points 3 weeks ago (1 children)

    Meanwhile me who using CHAOTIC-AUR be like :

    [–] Sunny@slrpnk.net 4 points 3 weeks ago (1 children)

    As someone not too familiar with arch and not undertanding the full context, could you elaborate on how Chatoitc AUR differs from AUR?

    load more comments (1 replies)
    [–] maxwells_daemon@lemmy.world 3 points 3 weeks ago

    Malware in some user-made package on the internet?

    [–] dil@lemmy.zip 2 points 3 weeks ago

    Idk I love the aur, just check comments and dont grab whatever the fk you see, I also have flatpak support tho (uninstalled snap, felt like I wanted all options but it was mostly useless, id pick an appimage over snap for the one or two things not on flathub/aur) Nothing popular like rexuiz was on the snap store but also had an appimage.

    [–] odama626@lemmy.world 2 points 3 weeks ago

    Was there for 2 days before it was caught and they would of had to be manually installed?

    I think that's much safer than any other platform I've heard of

    load more comments
    view more: next β€Ί