The AUR is a great resource but it’s also being sold as a package repository users don’t need to actively think about or understand. I honestly think malware is going to be much more common on the AUR if we aren’t careful.
I keep hearing this claim online but the Arch bible (which you really should be familiar with if you use Arch) and pretty much everyone that knows anything will tell you that the AUR is useful, but not something to blindly use. I recommend everyone check the PKGBUILD, verify the source URLs are correct, and check the diffs when updating. It’s not that much effort.
And since it comes from a single (user) package repository, you’ll probably have hundreds of people doing the same, or even going a step or two further and looking into the code, reporting the package if anything bad is going on. Still miles better than downloading .exe files you find from a Google search, even if you were lazy and didn’t do the aforementioned checks. (But if you don’t do that, you should probably just use Flatpaks or similar.)
All official resources, Arch maintainers and high quality guides have been putting a ton of effort into teaching people how to use the AUR safely. That hasn’t stopped some people, even back before Arch got really popular, but you can’t reach everyone. Alternative package managers and pacman wrappers made the AUR a lot more accessible, which isn’t necessarily a bad thing, but there are good reasons for all the caution. Combine that with Arch increasing in popularity and getting picked up by all the shitty influencers and you get a lot of people ,who don’t know what they’re doing, installing everything from the AUR with their CLI/GUI of choice. Then you’ve got Arch derivatives making AUR packages easily accessible from the start, bad advice on places like reddit etc.
Long story short: it seems that over the years whenever I check in, users that barely know how it works are happily installing random shit from random people on the AUR because they saw it in a YT video or something.
The AUR is a great resource but it’s also being sold as a package repository users don’t need to actively think about or understand. I honestly think malware is going to be much more common on the AUR if we aren’t careful.
I keep hearing this claim online but the Arch bible (which you really should be familiar with if you use Arch) and pretty much everyone that knows anything will tell you that the AUR is useful, but not something to blindly use. I recommend everyone check the
PKGBUILD, verify the source URLs are correct, and check the diffs when updating. It’s not that much effort.And since it comes from a single (user) package repository, you’ll probably have hundreds of people doing the same, or even going a step or two further and looking into the code, reporting the package if anything bad is going on. Still miles better than downloading
.exefiles you find from a Google search, even if you were lazy and didn’t do the aforementioned checks. (But if you don’t do that, you should probably just use Flatpaks or similar.)All official resources, Arch maintainers and high quality guides have been putting a ton of effort into teaching people how to use the AUR safely. That hasn’t stopped some people, even back before Arch got really popular, but you can’t reach everyone. Alternative package managers and pacman wrappers made the AUR a lot more accessible, which isn’t necessarily a bad thing, but there are good reasons for all the caution. Combine that with Arch increasing in popularity and getting picked up by all the shitty influencers and you get a lot of people ,who don’t know what they’re doing, installing everything from the AUR with their CLI/GUI of choice. Then you’ve got Arch derivatives making AUR packages easily accessible from the start, bad advice on places like reddit etc.
Long story short: it seems that over the years whenever I check in, users that barely know how it works are happily installing random shit from random people on the AUR because they saw it in a YT video or something.