this post was submitted on 18 Jul 2025
343 points (99.7% liked)
Linux
56547 readers
597 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 6 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this is going to increase in frequency as linux gains popularity
This is why I felt uncomfortable when I first switched to Linux and kept reading that I didn't need to worry about viruses as long as I didn't click on dodgy links and only installed from trusted sources. I'm sure I'm betraying my lack of security knowledge here, but that always seemed a bit too easy.
@DirkMcCallahan @Tundra The AUR isn't a trusted source, but most of the the Arch cult forget to mention that.
The "Arch cult's" holy book, the ArchWiki, states the following pretty clearly:
Mention of one's use of the AUR for their needs doesn't need to come with a disclaimer.
People who don't read or don't use their brain are going to keep not doing so, regardless.
Arch is not responsible for idiots.
Arch is not recommended for idiots either. If you want cutting edge, you accept the risks. Works that way with all tech.
I feel like the people who don't look at PKGBUILDs and install hooks and just hit Y on everything are the same people who spam "Next" and "Accept" on Windows Installers from random websites.
Half the posts on the Internet are people replying to requests for help with the message "read the wiki, the aur isn't a trusted source, dummy"
Why do we have the AUR anyway?
Because it's convenient and a good way to start to write PKGBUILDs quickly without becoming a proper package maintainer.
Isn’t that like how alpinelinux’s community repository works too?
It's meant to be a convenience for people who know what they're doing.
It's super useful as long as you understand that it is just a big bucket of scripts that just anybody can push
You can't even install from AUR using pacman directly. You either need to makepkg them manually, or use an extra AUR compatible package manager like yay. It's made as clear as possible to arch users that the AUR is not vetted in any way, it's just for convenience.
At the very least aur must verify you are associated with the domain name of the project, same as flathub.
that would literally defeat the entire purpose of the AUR
flathub still allows unverified submissions which is what I proposed. So, no, it wouldn't.
AUR is the place for unverified submissions. The verified stuff typically ends up in the main repos.
That's not at all how it works.
It is. Aur isn't even officially supported by arch. You use it at your own risk, with the advantage being that pretty much everything is in it.
The AUR, key words “user repository” is a specific weak point. It doesn’t have the same level of oversight that the main arch repo has. Stick to main repos and verified flatpaks and it’s very unlikely that you’d ever be compromised.
Linux isn’t perfect, but it’s certainly better than windows where you just download executables willy nilly to install your software.
BTW python's package index has roughly the same problem - but a far less technical, experienced and critical user base. NPM has this problem since years.
Expect these problems to rise with every percent more of new Linux users which never learned the difference between opening / viewing untrusted data, and running untrusted code, because Windows basically ignores this essential concept and Android tries to solve that with sandboxing each app.
That is sound advice, the AUR is most definitely not a trusted source though. For the normal arch repos the people who put the stuff there are known, they work for the project, you're as likely to get malware from one of those as you are to read an article bashing gamespot in gamespot, the people in charge of putting the packages there are the ones with more vested interest in things working so they won't knowingly introduce malicious code (plus it's a handful of people who know each other by first name).
The AUR is a different story, because anyone can put stuff there it's very easy to have malicious code end up there. It doesn't happen that often because most of the time it's fairly obvious and it gets flagged straight away, plus if people start doing that people will migrate away from the AUR, so it's a high risk low reward situation. But as more and more people start to use Arch derivatives that come with the AUR enabled without understanding any of this it becomes a more rewarding thing to exploit.
like git repositories, AUR in its name itself says what it is, a User repository. its trust like repositories is fully based on how much you trust the user who uploaded it
In fact, most PKGBUILDs just clone git repos and build them
Yeah i think the aur is pretty much completely source based, with the exception of bin packages where they pull down a precompiled binary.
Yeah. The I'm A Mac crowd had the same problem... god damn it, two or three decades ago.
As market share increases, platforms become a much bigger target for malware. And a lot of the "I don't need to run virus scans" crowds learn the hard way.
Its the same with open source. Obviously NOBODY around here would parrot this bullshit, but there is the idea that because something is FOSS it is safe. Code is only as safe as code review and there have been a few high profile cases of social engineering to get malicious code past even fairly rigorous review. Let alone "Well, that script is FOSS so somebody probably reviewed it" that we see so often.
I use Debian btw
True
Only for distributions which don’t do reproducible builds and require full and complete corresponding source code under an FSF approved license.
If you choose to download binary blobs, good fucking luck.
As if everyone were to read every single line of source code, though. This just increases the chances of it being discovered.
you don't need to read every line if you trust your package maintainers
True, but AUR isn’t official but provided by other users
Or if a handful of paranoid people read the code for a distribution and publicly discuss everything that they find (it only would take 12 crazies in the whole world)