linuxmemes

TL;DR: Don't think of the AUR as a package source, but as of an only mildly moderated, but ultimately free and open, sharing platform for PKGBUILDs, primarily useful for (self-)packagers, not necessarily non-technical end users.

Before the AUR, you had people individually hosting their PKGBUILDs anywhere, sometimes on GitHub or the BBS (yeah, it's been a while), sometimes along with a repository URL you could add to your pacman.conf to install packages right away, and it was glorious. I didn't have to write a working PKGBUILD myself from scratch, and I could decide if I trusted that particular packager to not screw me sideways with a pre-built package. An officialized "Trusted User" (TU) role emerged from this idea, which has recently been renamed to Package Maintainer (PM). This is fundamentally still how the AUR works, it just became much bigger, and easier to search for particular software. Packagers gift to you their idea of how software should be packaged, for you to expand upon, take inspiration from, or learn, or use as-is if you determine it to be good for your purpose.

The AUR is ultimately a great resource for packagers, and still useful for users, but "true end users" get the extra repository, and community, kind of, before that, and should try to avoid the AUR if they can, or at least be prepared to put in effort to establish trust, or get help.

A handful of Package Maintainers are manually adopting and subsequently vetting for sufficiently popular packages to move them from the AUR to the official extra repository, which is deemed safe to use as-is, on a best-effort basis. Obviously, this is a bottleneck, as it is not feasible for the few volunteering PMs to adopt and maintain 10k+ AUR packages and be held to any quality standard. That's why "you are on your own" with the AUR.

On the positive side, there's a voting system to determine package popularity. AUR packagers have a public list of maintained packages, and a comprehensive git commit history. Establishing trust is still crucial, and I feel hard pressed to name a reasonably popular/useful package that isn't already in extra or has been maintained in the AUR for a long time.

The biggest risk, IMHO, for malware getting slipped into a package is orphaning a popular package, and having it adopted by a malevolent user. This is something I personally look out for. If the maintainer changed, I make sure to check the commit history to see what they did. Most of the time it's genuine fixes, but if anything is changed without a damn good and obvious reason, hit up the AUR mods and ask for help. This is how malware is spotted. Also, typically only the version is bumped in a PKGBUILD on an update, which is a change I feel safe waving through, too. If the download URI changes, or patches are added, I do look at them to determine the reason, and if that isn't explained well enough to understand, that's a red flag. Better ask someone before running this.

source: personal involvement in Arch since 2002

Does anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?

I smell something fishy going on. I've been using the AUR for a long time and I'm now just hearing of malware?

Some people ask me why I use Flatpak on Arch. This is one of the reasons.

I use NixOS so everything is second party

I've been using Debian for years and prefer deb based systems, but recently I messed a bit around with Manjaro, and the amount of packages only available from the AUR is, erm, remarkable.

Aur is probably the main reason why many people use Arch and derivatives. However, many users are unaware that aur is not an official Arch repository and that, as you say, you are the one who has to monitor the pkgbuilds of each installed aur package. Normally the most used aur packages tend to generate more confidence but that does not prevent that package to include malicious software in a version change and having root access to the system can take control of certain system services. That's why I always recommend not using Aur and that's why I've always found Manjaro to be a great distribution, as it retains packages for a few days to check them and discourages the use of aur. Any security measure is too little and that's why any security tool you can configure is advisable. In a rolling distribution where new code is constantly entering the system, it is essential to have selinux and secureboot enabled.

By user "Forsen on top" fucking KEK

Also yeah it’s chrome, obviously it’s malware

Is this post intended to be a sort of outcry around the idea that there's a risk of malware being in the AUR?

Meanwhile me who using CHAOTIC-AUR be like :

Malware in some user-made package on the internet?

Idk I love the aur, just check comments and dont grab whatever the fk you see, I also have flatpak support tho (uninstalled snap, felt like I wanted all options but it was mostly useless, id pick an appimage over snap for the one or two things not on flathub/aur) Nothing popular like rexuiz was on the snap store but also had an appimage.

Was there for 2 days before it was caught and they would of had to be manually installed?

I think that's much safer than any other platform I've heard of