AUR has never been a good idea. I don’t use it and this news proved me right.
Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.
Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that’s why I stick to my official distro packages (and sometimes also some flatpak but from official sources)
It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.
I never said that GitHub was better. I just don’t feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.
Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don’t understand the risk or let’s say responsabilities it involves while installing packages from that source.
I agree about the risks in terms of the way some sources present the AUR as just extra packages. But I don’t think you can object to the AUR more than any other place on the internet where anyone can upload software; unfortunately, the onus is going to be on the user to verify what they install. The AUR is moderated by volunteers and it wouldn’t be fair to expect them to vet all of the high volume of commits to the AUR. Possibly they could vet new maintainers or new packages or newly adopted packages, but nothing would stop someone from initially uploading a genuine package and then replacing it with something malicious. Or they could require identity verification to be an AUR maintainer but then far fewer genuine packages would be on there because people don’t want to give their real identity to contribute (I maintain some AUR packages, and would stop if required to verify my IRL identity).
I can totally understand if the AUR is not for you; it’s more time-consuming as you have to read PKGBUILDs (I always do). But that doesn’t make it bad that it exists at all. I think there should be more warnings about it for new users, and possibly some more moderation, though like I said above there’s no perfect moderation solution that would simultaneously forgo users’ responsibility to check and keep the AUR as large as it is today. Ultimately the option should still exist for users who want it. If it didn’t exist, I’d have to hand-package every program that’s not in the official repos, and that’s even more time-consuming than pulling and reading through a PKGBUILD that someone else already wrote and shared.
It is arguably harder to take over a package from github or Codeberg.
You could also serve your PKGBUILD from a Gemini server (the Gemini small-web protocol, not the Google AI which is really easy to administer and secure), and sign it with a PGP key. That would be about as secure without depending on a huge US American company.
AUR has never been a good idea. I don’t use it and this news proved me right.
But is Arch sufficiently complete without AUR packages? It is being criticized - and rightly so - that the magnificient Arch Wiki is full of references to AUR packages. That could in fact mislead new users.
I am an happy Arch user, since about ten years… But I use it differently. I am running Debian stable on the hardware, which has all the drivers I need (after getting rid of NVidia graphics, which was just a mistake to buy). I use Debian for my work / office / productivity system, to read email, and so on.
But for some stuff, I need newer software: For trying out new features or libraries (I am a developer). For testing out new window managers. Leisure programming. And so on. I use Arch for this. After a few years of dual booting (which caused occasional breakage), I settled on running Arch in a VM. Which works fine for me.
And the last shift I am experiencing is that I use more and more the Guix package manager. The reason for this is that when one tries out a lot of things, and does only system upgrades for many years (which means not doing a reinstall, but replacing the oldstable packages with the newer stable packages), the system becomes a bit untidy over time. Old packages, scripts, and configurations accumulate, and it is hard to get rid of it without breaking things, because one just cannot delete everything one does not remember what it was needed for. And there is so much stuff in software that, after all, turns out to be not such a good idea. Yes, a fresh OS install leaves a tidy system, but it would cost a few days. (By the way, accumulating cruft in the long term is also somewhat of an disadvantage of rolling release distros.)
Now, Guix solves that, because I have a temporary, deterministic environment for every programming project (just like a Python venv). And by this way, stuff does not contaminate the base system, and is garbage collected when it is not used any more.
And, Guix has quite recent packages, similar to Arch.
Yes! And everything is based on hashed source code - this guarantees long-term reproducibility, avoids vendor-lock-in with proprietary binaries and drivers (and that’s why some companies hate it), but above all makes much easier to inspect what is in a package.
Interesting, unfortunately I still rely on proprietary binaries but I could try it on a secondary device. Reproducibility is one of the reason I chose to learn NixOS.
The issue with Arch is that they have like no packages at all. You’re more or less forced to use the AUR. Which is not something I would recommend to anyone. Which is also why I don’t recommend Arch to anyone. :D
Unless something changed in a big way in the last few years, that’s not really true. When I was running arch, I had maybe a dozen AUR packages installed, none of which I would consider essential. And yes: I was one of those weirdos who would actually take a good look at the pkgbuild diff before installing an update.
Minimizing the chance of malware being spread through their means.
Right. And there is another angle to that: It is far easier to turn an ecosystem into a breeding ground for malware, than to get rid of it again. Once a system has a reputation to be easily hackable, it attracts malware like spoiled meat attracts flies.
AUR has never been a good idea. I don’t use it and this news proved me right.
Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.
Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that’s why I stick to my official distro packages (and sometimes also some flatpak but from official sources)
It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.
I never said that GitHub was better. I just don’t feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.
Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don’t understand the risk or let’s say responsabilities it involves while installing packages from that source.
I agree about the risks in terms of the way some sources present the AUR as just extra packages. But I don’t think you can object to the AUR more than any other place on the internet where anyone can upload software; unfortunately, the onus is going to be on the user to verify what they install. The AUR is moderated by volunteers and it wouldn’t be fair to expect them to vet all of the high volume of commits to the AUR. Possibly they could vet new maintainers or new packages or newly adopted packages, but nothing would stop someone from initially uploading a genuine package and then replacing it with something malicious. Or they could require identity verification to be an AUR maintainer but then far fewer genuine packages would be on there because people don’t want to give their real identity to contribute (I maintain some AUR packages, and would stop if required to verify my IRL identity).
I can totally understand if the AUR is not for you; it’s more time-consuming as you have to read PKGBUILDs (I always do). But that doesn’t make it bad that it exists at all. I think there should be more warnings about it for new users, and possibly some more moderation, though like I said above there’s no perfect moderation solution that would simultaneously forgo users’ responsibility to check and keep the AUR as large as it is today. Ultimately the option should still exist for users who want it. If it didn’t exist, I’d have to hand-package every program that’s not in the official repos, and that’s even more time-consuming than pulling and reading through a PKGBUILD that someone else already wrote and shared.
It is arguably harder to take over a package from github or Codeberg.
You could also serve your PKGBUILD from a Gemini server (the Gemini small-web protocol, not the Google AI which is really easy to administer and secure), and sign it with a PGP key. That would be about as secure without depending on a huge US American company.
But is Arch sufficiently complete without AUR packages? It is being criticized - and rightly so - that the magnificient Arch Wiki is full of references to AUR packages. That could in fact mislead new users.
I am an happy Arch user, since about ten years… But I use it differently. I am running Debian stable on the hardware, which has all the drivers I need (after getting rid of NVidia graphics, which was just a mistake to buy). I use Debian for my work / office / productivity system, to read email, and so on.
But for some stuff, I need newer software: For trying out new features or libraries (I am a developer). For testing out new window managers. Leisure programming. And so on. I use Arch for this. After a few years of dual booting (which caused occasional breakage), I settled on running Arch in a VM. Which works fine for me.
And the last shift I am experiencing is that I use more and more the Guix package manager. The reason for this is that when one tries out a lot of things, and does only system upgrades for many years (which means not doing a reinstall, but replacing the oldstable packages with the newer stable packages), the system becomes a bit untidy over time. Old packages, scripts, and configurations accumulate, and it is hard to get rid of it without breaking things, because one just cannot delete everything one does not remember what it was needed for. And there is so much stuff in software that, after all, turns out to be not such a good idea. Yes, a fresh OS install leaves a tidy system, but it would cost a few days. (By the way, accumulating cruft in the long term is also somewhat of an disadvantage of rolling release distros.)
Now, Guix solves that, because I have a temporary, deterministic environment for every programming project (just like a Python venv). And by this way, stuff does not contaminate the base system, and is garbage collected when it is not used any more.
And, Guix has quite recent packages, similar to Arch.
Now I use Arch less and less.
Is Guix the GNU approach to NixOS?
So if nixos is the new I use arch btw is guix the new I use nixos btw?
Lol
Nah, Guix is dead simple to use. I even trained my pet octopus to build Guix packages after it got bored with the underwater piano :)
Yes! And everything is based on hashed source code - this guarantees long-term reproducibility, avoids vendor-lock-in with proprietary binaries and drivers (and that’s why some companies hate it), but above all makes much easier to inspect what is in a package.
Interesting, unfortunately I still rely on proprietary binaries but I could try it on a secondary device. Reproducibility is one of the reason I chose to learn NixOS.
Yeah you can go with Nix then.
But it is not by chance that Linux is based on Open Source hardeare support. The alternative is something like MacOS.
The issue with Arch is that they have like no packages at all. You’re more or less forced to use the AUR. Which is not something I would recommend to anyone. Which is also why I don’t recommend Arch to anyone. :D
Unless something changed in a big way in the last few years, that’s not really true. When I was running arch, I had maybe a dozen AUR packages installed, none of which I would consider essential. And yes: I was one of those weirdos who would actually take a good look at the pkgbuild diff before installing an update.
Right. And there is another angle to that: It is far easier to turn an ecosystem into a breeding ground for malware, than to get rid of it again. Once a system has a reputation to be easily hackable, it attracts malware like spoiled meat attracts flies.