75
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 13 Jun 2026
75 points (100.0% liked)
Arch Linux
9787 readers
13 users here now
The beloved lightweight distro
founded 6 years ago
MODERATORS
What happens is this:
Arch Linux says the AUR is just a collection of user scripts. Use at your own risk. Anybody can upload some shit. Always check the PKGBUILD before you continue. Never use so-called AUR helpers to automate the process to the point that you have less control, also wrt future updates and upgrades.
Then some Arch-based distros create AUR helpers and integrate them into their distro experience, even with automatic updates & upgrades and GUIs and whatnot. Some of these distros are very popular, even more so than Arch Linux itself, in the short term. This also contributes to the pollution of the AUR. Malicious hackers are never attracted to a less popular distro that requires its users to understand what they're doing.
Blame those distros and all who contribute to AUR helpers, or tend to not read the PKGBUILD before installing - not the AUR itself.
Or make it so that the AUR has a modicum of security and not allow brand new accounts to adopt orphaned packages and immediately push out malware without any form or reviews, checks, or interventions.
If I copy paste a malicious script here and you run it without knowing/checking what it do, do you think your instance admin should also put more rules and restrictions for the whole instance? AUR is no different than github or pastebin. It is on the user to vet what script they are running. Arch already has a more strict and vetted repo by the maintainer. Having AUR be a vetted place has no real good solution because of easy botting.
It’s basically a public wiki of scripts, being editable by anyone is the entire point. If you don’t want to run random scripts from random people, don’t use AUR.
Oh, very rigorous software engineering standards.
That's not what the AUR does. They simply provide a platform for users to share build scripts. There isn't much they can do beyond trying to vet accounts based on flimsy metrics, or weeding things out every now and then.
The problem is that some people and even distros treat the AUR as a trusted source of software.
All user repositories (javascript, Python etc.) suffer from malware btw.; the AUR is different in that it explicitely puts the responsibility of building packages on the user.
...
~~I'm still missing some palpable information about these injections/malwares.~~
https://bbs.archlinux.org/viewtopic.php?id=313892
Absolutely ludicrous. These are very very strong packages.
Is that not the case already? If not I'm sure it'll be one of the fixes.
Well, there are regulations governing the code they can be made of.
Well, I was thinking more about the other ones.