this post was submitted on 12 Jun 2026
12 points (100.0% liked)

Intergalaktische Bogengemeinschaft

372 readers
1 users here now

Willkommen in der Bogengemeinschaft!

Um euch den Einstieg so angenehm wie möglich zu machen, haben wir hier die wichtigsten Informationen zusammengestellt.

Für Nichtbogennutzer und Neulinge empfehlen wir euch, zunächst vollständig das Wiki zu lesen, bevor ihr eine Frage stellt: https://wiki.archlinux.org/

Fortgeschrittene Bogennutzer finden hier Unterstützung: https://wiki.archlinux.org/

Bei Anregungen und Ideen zu dieser Gemeinschaft bitten wir euch, davon abzusehen und das Wiki zu lesen: https://wiki.archlinux.org/

Weitere Informationen findet ihr hier: https://wiki.archlinux.org/

Wir wünschen euch viel Spaß in dieser Gemeinschaft!

Ehemals /c/bogengemeinschaft@feddit.de.

founded 2 years ago
MODERATORS
Peter_Arbeitslos@feddit.org
aaaaaaaaargh@feddit.org
12
400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers (cybersecuritynews.com)
submitted 5 days ago by Peter_Arbeitslos@feddit.org to c/bogengemeinschaft@feddit.org
8 comments fedilink hide all child comments
top 8 comments
sorted by: hot top controversial new old
[–] cattywampus@lemmy.world 5 points 5 days ago* (last edited 5 days ago) (2 children)

Love Arch and was into the AUR for a while until I started to become more concerned with security. You really should verify the pkgbuild and the software source, even skim over the code if you're technically inclined. I understand at some level there's always a degree of trust involved in open source (and more in closed source). Personally I would keep my AUR packages to an absolute minimum so they are easier to monitor. Same to PPA's for Ubuntu or COPR for Fedora. These days verified flatpaks are good enough for almost everything I use.

[–] Peter_Arbeitslos@feddit.org 4 points 5 days ago (1 children)

And if you got infected with something, just read the arch wiki. It will cure you.

[–] cattywampus@lemmy.world 4 points 5 days ago (1 children)

I'm only infected with my deep and eternal passion for u/Peter_Arbeitslos@feddit.org

[–] manxu@piefed.social 3 points 5 days ago (1 children)

Yeah, that whole unverified developer build installation was always very risky. It's a real shame that so many distros fail to keep up with recent packaging, and that so many development environments have super lax policies on who can post a package to their repositories.

[–] cattywampus@lemmy.world 1 points 5 days ago* (last edited 5 days ago) (1 children)

You have to remember these are mostly people volunteering their time and who have entire full time jobs and lives outside of the distro. The amount of money doesn't cover the amount of employees for the amount of work there is. Even amongst the paid individuals, they're typically taking a substantial pay cut from what they could be paid doing something else. Linux is mostly built and maintained from philanthropy and passion.

[–] manxu@piefed.social 2 points 5 days ago (1 children)

You are absolutely right, and it's a shame that especially large corporations use open source without giving much back.

Still, the setup of a lot of software repositories and package management is almost comically lax. A little extra effort might do a lot of good, is all I am saying.

[–] cattywampus@lemmy.world 1 points 5 days ago* (last edited 5 days ago)

You're more than free to donate time. Linux is free monetarily but more importantly it's free as in freedom. You want something, you are free to go get it.