I smell something fishy going on. I’ve been using the AUR for a long time and I’m now just hearing of malware?
There’s been malware in the past, not only that - AUR is user submitted. It’s in the name. They warn you to double check what you’re installing. It is functionally similar to running a random installer you found on GitHub.
It seems like these instances are being intentionally blown out of proportion, but I don’t see what there is to gain by doing that.
It is functionally similar to running a random installer you found
So basically how Windows users have been acquiring their software for the last 30 years.
I don’t want to say stupid things, but I have so many theories. I check the shit out of a package before installing it. I even go to the GitHub page and make sure of things.
It’s an obvious vector for malware, arch by default doesn’t come with it, and users have been warned the entire time to check pkgbuild. There’s nothing fishy, it’s just that arch has enough users to be worth it to hit it.
I expect that with SteamOS being based on Arch there will be a bigger target on Arch for malware just from increased attention on the platform
I use NixOS so everything is second party
And every package is added and maintained by volunteers.
We’re called maintainers
Most maintainers are volunteers, but not all volunteers are maintainers…
Besides the obvious non-package work, if you make a single pr for some random package and never again, you’re not a maintainer.
The Nix ecosystem is developed by many volunteers and a few paid developers, maintaining one of the largest open source software distributions in the world.
demanding work that we cannot expect to be done by volunteers indefinitely.
If you add yourself to the maintainer list in your PR you’re a maintainer, even if it’s a maintainer of a single package
Aur is probably the main reason why many people use Arch and derivatives. However, many users are unaware that aur is not an official Arch repository and that, as you say, you are the one who has to monitor the pkgbuilds of each installed aur package. Normally the most used aur packages tend to generate more confidence but that does not prevent that package to include malicious software in a version change and having root access to the system can take control of certain system services. That’s why I always recommend not using Aur and that’s why I’ve always found Manjaro to be a great distribution, as it retains packages for a few days to check them and discourages the use of aur. Any security measure is too little and that’s why any security tool you can configure is advisable. In a rolling distribution where new code is constantly entering the system, it is essential to have selinux and secureboot enabled.
Aur is probably the main reason why many people use Arch and derivatives.
FYI, non-Arch distros can use AUR with an Arch distrobox. So people shouldn’t be using Arch just for AUR.
Being in a distrobox may or may not protect your system from potential malware, that I cannot say.
By user “Forsen on top” fucking KEK
Also yeah it’s chrome, obviously it’s malware
Is this post intended to be a sort of outcry around the idea that there’s a risk of malware being in the AUR?
Was there for 2 days before it was caught and they would of had to be manually installed?
I think that’s much safer than any other platform I’ve heard of
Meanwhile me who using CHAOTIC-AUR be like :
As someone not too familiar with arch and not undertanding the full context, could you elaborate on how Chatoitc AUR differs from AUR?
TLDR EXPLANATION:
Basically Chaotic AUR is just AUR that has been compiled so user doesn’t have to wait for a package to install.LONGER EXPLANATION:
Chaotic-AUR is an unofficial package repository that provides pre-built packages from the Arch User Repository (AUR), allowing users to install software without building it from source. In contrast, the AUR requires users to compile packages themselves, offering a wider range of community-maintained software but requiring more technical knowledge and time.In contrast Chaotic AUR offered simpled way to install AUR packages, Chaotic AUR packages already cleaned from malware, spyware, etc so there’s no need to worry.
Malware in some user-made package on the internet?
