Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
Linux Users: oh no I got malware by searching the AUR!
The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).
But if it starts downloading anything from NPM… ^C and run.
The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo
I’m not entirely sure I agree, I think the issue is with default settings.
Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that’s pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.
Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
Linux Users: oh no I got malware by searching the AUR!
AUR naur! for all my Australians out there.
The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).
But if it starts downloading anything from NPM… ^C and run.
The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo
I’m not entirely sure I agree, I think the issue is with default settings.
Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that’s pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.
Ye my reaction to this was basically uninstalling yay to force me to do it manually
appimages are kinda like portable app versions.
Don’t worry, I found a package on npm to help!
By misusing the AUR and ignoring every warning telling you to read and understand the pkgbuild or don’t do it.