I think the way the AUR works has outlived its usefulness. It was fun while it lasted folks.
this post was submitted on 18 Jun 2026
337 points (99.7% liked)
linuxmemes
31803 readers
508 users here now
Hint: :q!
Sister communities:
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
- Don't get baited into back-and-forth insults. We are not animals.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudoin Windows. - No porn, no politics, no trolling or ragebaiting.
- Don't come looking for advice, this is not the right community.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
5. π¬π§ Language/ΡΠ·ΡΠΊ/Sprache
- This is primarily an English-speaking community. π¬π§π¦πΊπΊπΈ
- Comments written in other languages are allowed.
- The substance of a post should be comprehensible for people who only speak English.
- Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
6. (NEW!) Regarding public figures
We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations. - Keep discussions polite and free of disparagement.
- We are never in possession of all of the facts. Defamatory comments will not be tolerated.
- Discussions that get too heated will be locked and offending comments removed. Β
Please report posts and comments that break these rules!
Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.
founded 3 years ago
MODERATORS
Could the same thing happen on Flathub? Considering the number of unverified packages on the platform
My understanding is that flatpaks run in a sandbox, so although there is a risk- especially for what you give permissions to- it's not exactly the same. The AUR is basically "curl | bash", it's a miracle this hasn't happened before. If you're worried about it I think flatseal can look at the permissions and such, but you're probably fine.
Nope, the security is basically a gate in the middle of a field.
"App with access to files can access files"
And "we won't tell you which ones can"
Well, both the Flathub website and KDE Discover list this, so this seems like a GNOME issue and not a Flatpak issue.
KDE Discover:
FlatHub website
Where? I don't see it here. Can click on the "manifest" but nobody will be reading all of that. Tried Tor Browser to rule out extensions. Maybe it's actually communicating with the desktop client in some way which I don't have?
Also, a backdoor in this particular program can steal your PGP keys. Some clueless guy who added it to GitHub for a tutorial may have some issues if it's not password protected. It's in no way like Android where "OpenKeychain" were forced to define a protocol and now reading a key prompts the user.
Oh, and one of the few dozen local privilege escalations found by AI in the mountains of trash of our great kernel completely negate all of this. It has to be AI because no human nowadays is doing all of that anymore. And enslaving humans to pick out code 24/7 isn't legal anymore anywhere, ya know.
Also, a backdoor in this particular program can steal your PGP keys.
Now you can make that decision. Evolution is also available from the Debian and Arch (and others) repos without sandboxing, if you'd prefer it to have access your whole system.
You can also remove those permissions with the Flatpak cli, or Flatseal.
It's in no way like Android where "OpenKeychain" were forced to define a protocol and now reading a key prompts the user.
I don't see why this couldn't be done with Secret Service, just no one does so no one expects it. You should email one of the mailing lists for GnuPG if this bothers you though.
Oh, and one of the few dozen local privilege escalations found by AI in the mountains of trash of our great kernel completely negate all of this.
Well yeah, sandboxing/containers/namespaces were never guaranteed to be fully isolated, there's a reason all the cloud companies settled on VMs over containers. It's just one line of defence that you otherwise wouldn't have.
Again, you seem to be missing the point. Nobody would be "removing permissions with xyz tool". People are told something is safe, therefore it must be safe. If it's not then it's not. And again with PGP, one example how a "simple user" could have PGP keys is if they use PGP email at work. Management != tech people, so container must equal safe in ooga booga brains. Keys get stolen because of supply chain (remember that library updates are separate and slower for flatpak). Container must equal safe, so everyone disregards what was written about XYZ program and the one to blame becomes the simple office worker*~~, another victim of capitalism~~*. Or the IT guy. My point is, marketing wrong.
FlatHub website
Where? I don't see it here.
click the red "medium risk" thing near the install button
Oh, and one of the few dozen local privilege escalations found by AI in the mountains of trash of our great kernel completely negate all of this. It has to be AI because no human nowadays is doing all of that anymore. And enslaving humans to pick out code 24/7 isn't legal anymore anywhere, ya know.
that's not a problem of flathub, but literally all computers. windows, macos, android is also susceptible to it.
click the red "medium risk"
Literally how the fuck was I, or let alone "a simple user", is supposed to know that? "Intuitive, uncluttered UI" my ass. Also "The software developer has verified their identity, which makes the app more likely to be safe" ????? How Android wannabe (without actually being anything like Android) do they want to be???
not a problem of flathub
The problem of flathub is the illusion of safety.
click the red "medium risk"
Literally how the fuck was I, or let alone "a simple user", is supposed to know that?
idk, this is the first time I saw that menu. it's a pretty visible red at a prominent place on the webpage, so I wouldn't say it's hidden
The problem of flathub is the illusion of safety.
where is the illusion of the safety? where does it say it's the safest thing ever made?
Just check the permissions of an app before installing. Bazaar has a gauge for how "safe" an app is based on permissions. If it doesn't request internet, filesystem access, and other powerful permissions, it'll be marked as the safest.
Really it's the same as docker. It's secure most of the time, but don't come crying about getting hacked if you give all your containers access to /dev, host networking, etc
Yeah that post is 5 years old, I would think a lot of that has changed by now
Well shit.
Pretty much. Snap is the only one with a semblance of anything appearing to be security, and nearly every container requires you to turn it off to run.
Ha! That sucks. I appreciate that article but now I'm having a little bit of an existential crisis.
now Iβm having a little bit of an existential crisis.
While they are sandboxed, there is still potential for them to cause harm. Its in theory a safer system, but nothing is full proof. I'd agree that its likely fine but best to be cautious
The problem is trust. Sandboxing is all well and good, but what of the data I give the app directly and the resources it has access to?
If a person installs the Steam client from FlatHub and logs in to it with their account credentials, how will they know the app wasn't actually published by a third party who modified it to act as a man in the middle to steal account credentials. They'd need to be vigilant and follow a flathub link provided by Valve themselves. The app could also be a crypto miner, capped to use 10% CPU to avoid suspicion.. now I'm searching the internet why steam is constantly using 10% of my CPU..
I don't actually know if flathub does checks or anything so this isn't a jab at them specifically. I personally distrust all package distribution platforms by default and don't use sandboxed packages on any of my installs.
I guess we all have to define where the lines are and how far we're prepared to go. Technically, you should read the actual source code fetched from AUR and only build once you've confirmed it does what you expect it to... for every thing you install and for every update. Maybe thats good for Richard Stallman, but the general populace will look for trust outside of only trusting themselves.
After one year of using Linux, I'm starting to get the memes.
Well these accounts are probably making first commit so it can also be easily found
Alternatively, the first wave of malware stole the accounts of actual contributors. The same method was used in npm afaik.
Hacked accounts next
That actually had me laugh.