I’m not an expert, but I thought on Arch you are specifically not supposed to use the discover store because it can cause partial updates which can in turn cause major problems.
However, the point still stands, pacman and the AUR are easy and have nearly everything.
The AUR is a great resource but it’s also being sold as a package repository users don’t need to actively think about or understand. I honestly think malware is going to be much more common on the AUR if we aren’t careful.
I keep hearing this claim online but the Arch bible (which you really should be familiar with if you use Arch) and pretty much everyone that knows anything will tell you that the AUR is useful, but not something to blindly use. I recommend everyone check the PKGBUILD, verify the source URLs are correct, and check the diffs when updating. It’s not that much effort.
And since it comes from a single (user) package repository, you’ll probably have hundreds of people doing the same, or even going a step or two further and looking into the code, reporting the package if anything bad is going on. Still miles better than downloading .exe files you find from a Google search, even if you were lazy and didn’t do the aforementioned checks. (But if you don’t do that, you should probably just use Flatpaks or similar.)
All official resources, Arch maintainers and high quality guides have been putting a ton of effort into teaching people how to use the AUR safely. That hasn’t stopped some people, even back before Arch got really popular, but you can’t reach everyone. Alternative package managers and pacman wrappers made the AUR a lot more accessible, which isn’t necessarily a bad thing, but there are good reasons for all the caution. Combine that with Arch increasing in popularity and getting picked up by all the shitty influencers and you get a lot of people ,who don’t know what they’re doing, installing everything from the AUR with their CLI/GUI of choice. Then you’ve got Arch derivatives making AUR packages easily accessible from the start, bad advice on places like reddit etc.
Long story short: it seems that over the years whenever I check in, users that barely know how it works are happily installing random shit from random people on the AUR because they saw it in a YT video or something.
Eh. I haven’t had issues for a few months and I back up my files on a weekly basis and -Syu once or twice a month. Worst case scenario, I’ll just reinstall and restore from backup.
Also, I mainly use Discover for high level stuff like browsers and IDEs.
On the flip side, reading about an exploited vulnerability in a package and then realizing your machine isn’t affected because Debian has an outdated package in it’s repo
You’re not wrong. That said my broke ass can’t afford cutting edge hardware so most of the time it doesn’t matter.
When it does, I can usually compensate with either a NixOs profile install, a container of some sort (or Flatpak), or just building the emefferr from source.
Flatpak just working would be a nice thing. Everytime I try they fuck something new up…
(Last time I thought about installing Steam via Flatpak on Arch to get rid of all the multilib 32bit stuff not needed for aynthing else anymore it worked for nearly 4 days. Then flatpak update randomly uninstalled its nvidia drivers because an “update” removing the old package first, then realizing it can’t find the new one make total sense of course.)
I’m not an expert, but I thought on Arch you are specifically not supposed to use the discover store because it can cause partial updates which can in turn cause major problems.
However, the point still stands, pacman and the AUR are easy and have nearly everything.
The AUR is a great resource but it’s also being sold as a package repository users don’t need to actively think about or understand. I honestly think malware is going to be much more common on the AUR if we aren’t careful.
I keep hearing this claim online but the Arch bible (which you really should be familiar with if you use Arch) and pretty much everyone that knows anything will tell you that the AUR is useful, but not something to blindly use. I recommend everyone check the
PKGBUILD, verify the source URLs are correct, and check the diffs when updating. It’s not that much effort.And since it comes from a single (user) package repository, you’ll probably have hundreds of people doing the same, or even going a step or two further and looking into the code, reporting the package if anything bad is going on. Still miles better than downloading
.exefiles you find from a Google search, even if you were lazy and didn’t do the aforementioned checks. (But if you don’t do that, you should probably just use Flatpaks or similar.)All official resources, Arch maintainers and high quality guides have been putting a ton of effort into teaching people how to use the AUR safely. That hasn’t stopped some people, even back before Arch got really popular, but you can’t reach everyone. Alternative package managers and pacman wrappers made the AUR a lot more accessible, which isn’t necessarily a bad thing, but there are good reasons for all the caution. Combine that with Arch increasing in popularity and getting picked up by all the shitty influencers and you get a lot of people ,who don’t know what they’re doing, installing everything from the AUR with their CLI/GUI of choice. Then you’ve got Arch derivatives making AUR packages easily accessible from the start, bad advice on places like reddit etc.
Long story short: it seems that over the years whenever I check in, users that barely know how it works are happily installing random shit from random people on the AUR because they saw it in a YT video or something.
Eh. I haven’t had issues for a few months and I back up my files on a weekly basis and -Syu once or twice a month. Worst case scenario, I’ll just reinstall and restore from backup.
Also, I mainly use Discover for high level stuff like browsers and IDEs.
As a Debian slut this level of sweating over updates is wild to me.
Yeah but imagine reading about a new release of something and it appearing in your updates the same day. Shiny new software every day is addicting.
On the flip side, reading about an exploited vulnerability in a package and then realizing your machine isn’t affected because Debian has an outdated package in it’s repo
You’re not wrong. That said my broke ass can’t afford cutting edge hardware so most of the time it doesn’t matter.
When it does, I can usually compensate with either a NixOs profile install, a container of some sort (or Flatpak), or just building the emefferr from source.
You can use it for Flatpaks which works great for a lot of people.
Flatpak just working would be a nice thing. Everytime I try they fuck something new up…
(Last time I thought about installing Steam via Flatpak on Arch to get rid of all the multilib 32bit stuff not needed for aynthing else anymore it worked for nearly 4 days. Then
flatpak updaterandomly uninstalled its nvidia drivers because an “update” removing the old package first, then realizing it can’t find the new one make total sense of course.)If I learned anything with Steam it’s to never install it as a Flatpak.