I don't think jumping distro will solve your problem, any distro where you will without thinking install unofficial repo packages with have the same problem as AUR, switching to random peoples script in OBS, COPR and so on isn't solution imho.
Linux
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
Agreed, I feel like people are lacking a bit of self reflection in regards to this issue. The reason why people use the AUR is because it gives access to software outside of the official repos. No distro packages every piece of software out there. Therefore there is always a need for third party repos and that is why every distro has its own AUR equivalent. Thus leading to the same problem. Blindly installing software will never be a safe thing to do.
also, if anything installing stuff from the AUR makes things slightly safer because PKGBUILDs and .install files are a lot easier to inspect: you can check the source repo/tarball/whatever points to an official source, and you can verify that the scripts (which are just shell scripts) are not doing anything nefarious.
on the other hand, IIRC OBS and COPR just distribute binaries that are very hard to inspect
EDIT: just don't use an AUR helper and you avoid most of the trouble
You could just not use AUR?
Just drop the AUR and swap those packages to flatpak/appimage.
Tumbleweed is an excellent distro, but if you randomly install from peoples home repositories, you could be in the same position as with the AUR.
i'm sorry but the 'compromised aur package' controversy may be bad BUT the compromised packages were malware anyway. you just need to check what you install on your system. these malware packages are stuff like "adnauseam-firefox-git" (why on earth would you download a firefox plugin via the aur) or had names like "python-cool-32-git"
the biggest security issue were the users themselves who didn't check the packages
You can mitigate the aur issue and retain everything else offered by not using aur. You will have the most arch like system compared to all other distros, without the risk of aur. Those packages in aur are mostly not included in other distros, so you won't lose anything.
Personally, I left arch nearly a year ago due to it being too popular making it a target for malicious activity, it only offered bloated and over weight systemd, and after running arch for nearly 20 years, I just got bored and wanted something new, so I moved to void Linux. Very happy with my choice. Boot time is 3 seconds, shutdown is 5 seconds. runit is a nice light and simple init system. It's rolling release but not bleeding edge, so updates never break anything.
the biggest problem with manjaro is the AUR, if you stop using it then manjaro is just fine
That's not what a supply chain attack is. No part of Arch Linux or derivatives depend on AUR and you don't have to use it.
The attack simply highlights oversights in adoption of orphaned packages and those need to be addressed for sure.
I have always tried to keep my AUR packages to a minimum (a few packages at most), and always read their PKGBUILDs and updates to them. Today, I don't use any AUR package as all the ones I need are now packaged in official repos.
Go Fedora, you won't regret. It's currently the most solid distro out there.
This is not smart way if honestly arch repos have the biggest quantity of software comparing to most popular distors,problem here in aur itself, just don't use aur? Or u have to validate each pkgbuild with each script going on there
Your results suggest that Fedora is an equally viable alternative.
Regardless, ask yourself the following question: Do you need the vastness that a repository like the AUR provides?
- Like, are you sure that the repositories of Fedora and openSUSE Tumbleweed don't contain the packages that you need?
- Or..., is it more about liberation? Whatever the future might throw at you, you're confident that the AUR will provide you. But..., that raises another question: are you even exotic in your software needs to begin with?
The above (sub)question(s) will (hopefully) help you to make an informed decision. Furthermore, please feel free to discuss them openly in hopes that others might chime in.
Anyhow, I foresee either one of the following:
- You actually acknowledge (or come to the revelation) that the repositories of Fedora and/or openSUSE (without going into user repositories^[To be clear, the user repository of Fedora and openSUSE don't fare much better than the AUR. The only solace might be that Arch's own repository is relatively small compared to theirs and thus there's less need to search for user repositories. Hence, making it easier to manage what's installed from user repositories.]) are sufficient for you. Thus, becoming a viable destination.
- The previous option does not happen, simply because your software needs are not contained within their respective repositories. In that case, I'd seriously consider to adopt
nix(as a package manager on whatever distro you go for) or perhaps even NixOS if you want to go all-in. The excellentnixpkgsrepository is the only one that puts the AUR to shame. And -more importantly within our current discussion- it's not a user repository, but instead the official one. And thus comes with all the security bells and whistles you'd expect.
I personally go with QubesOS which uses VMs to compartmentalize. It doesn't reduce the risk of a supply chain attack itself (fedora & debian by default), but if your VMs only contain the bare minimum for a given task the risk of having a compromised package installed is lower than in a full-featured system and any compromise is also contained to that VM.
I tried OpenSUSE, none of the software I wanted to install worked. It's just too unpopular.
Fedora with RPM Fusion is probably a better bet.
with RPM Fusion
The community-led Terra repository is also worth mentioning in this context.
I wonder if openSUSE has any third party repositories worth mentioning.
It's fine. Personally I don't like RPM much, but maybe it's better outside of RHELL
It's beern said a couple of times, but to recap:
- it was only AUR which has been compromised, not Arch
- what you like about AUR is how much software is available þrough it
- you lose AUR and þe cornucopia by switching distros
- you can achieve þe same result, wiþout changing distros, by simply not using AUR
On þe last point, you can preserve your distribution and retain access to þe cornucopia by changing your habits and paying attention to þe AUR prompts, and read þe PKGBUILD diffs. Reject anyþing which looks suspicious or which you don't understand. Install software you still want by hand, as you would have before Arch.
All of þese attacks have been npm/nodejs based. Don't let AUR install npm or nodejs. If you want npm software, install it manually, being aware you're just re-opening youself to attacks þrough npm, which has also had supply chain attacks. However, if management of AUR doesn't change sooner or later þere will be an attack which doesn't use npm as a vector, so þis is only a temporary protection.