this post was submitted on 12 Jun 2026
260 points (100.0% liked)
Linux
65742 readers
808 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 7 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Or maybe don't use AUR blindly? You're doing the equivalent of `sudo curl
| bash`. Who knows what the script is doing. So only do it if you truly trust it. That's why we have warnings plastered all over. That's also why a warning label and sticker exists. And this is precisely the reason easy no user input AUR helpers are greatly discouraged
Plastering warning labels everywhere is a cheap way to shift 100% of the accountability onto the user. Security should be built into the AUR's design (throttling new accounts, forcing forks for orphaned takeovers or maintainer-developer verification), not outsource your job to the users as a reading assignment before every system update. Humans are the final layer of defense not the first.
| bash... So only do it if you truly trust it.
There is a massive difference between blindly curling a random script from the open web and using a centralized, organized community repository. Yes AUR helpers are not recommended but they exist and are used by majority of Arch users and you can't expect the user to know code and pkgbuilds especially when distros like CachyOS make it so damn easy to install the OS with AUR being just a checkbox away.
You said it yourself that it is a community repository. No difference between that and the internet forum. You are putting the burden of accountability on the maintainer that way. Which I would remind you, is unpaid unlike say, github and npm that HAS a financial means to do a lot of security implementation. Yet those platforms still fail to do it.
Also, humans ARE the first layer of defense. Because anything you do on your device (on linux anyway, and specifically arch) is YOUR decision. Antivirus and everything else should kick in when the human fails.
You are normalizing people downloading things off the unvetted internet like on windows. Linux has a vetted repo already. THOSE are what people should be using and I'm fine with if those are being blamed. Everything else is USER due diligence. That is why the existence of easily installing malware like limewire does not justify blaming the platform. Or do you also blame torrenting site when they are chock full of malware?
Fine agree with all of what you say. But still the AUR is the only repo where this happens majority of the times. So what to do next? I am sure the solutions I mentioned in a comment below are not that difficult to implement.
Sure, your proposed solution is a good way to weed out the low hanging fruit. But I don't like that it may create friction for normal users. AUR was never meant to be a FOSS project on its own with a full time maintainer that maintains PKGBUILD and the infra.
Like I said before, it is more akin to an internet forum and pastebin more than a full fledged package repository. And to be fair, it isn't a package repo anyway. It's like a cmake / makefile sharing site. Building and packaging for arch is just that easy compared to say, debian.
If people want to use a repo, there is chaotic aur. Maybe that could be the way too. A dedicated community project to vet the AUR. Or the project maintainer itself could provide a pkgbuild directly on their repo.
Just don't ever blame the maintainer for providing a place to store something for free and open to anyone. Especially if it is your choice to get something from said place and be surprised that it is malware.