176
The security situation with the Arch Linux AUR got a lot worse
(www.gamingonlinux.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 14 Jun 2026
176 points (97.3% liked)
Linux
14008 readers
502 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 3 years ago
MODERATORS
This won't work any more in the future. Linux is too big and the Internet, or the world as a whole has become an too unfriendly place.
It is like that I once lived in a small village in Belgium in a shared house and I loved that we never needed to lock the door, even when we were away. But you can't do that in a big city.
Well, as a Linux user, you can't run untrusted code from strangers. Which is what AUR and PyPy is. As a normal user, you should run only checked code from your distribution. And when you develop software, you need to check the credentials and signatures of upstream software and their developers.
Good luck with checking all dependencies as a developer, bonus points for JavaScript. You've just become a 98% less effective. But seriously, how would you check everything? And if you stumble upon malicious code, would you even recognize it?
Nobody sane should be installing js code in their systems. Nor having node or even npm installed.
Yes I know well that JavaScript development practices are unsustainable.
And at some point, chickens will come home to roost.
For my part, I focus on minimalist, well defined systems, both as a user and developer. And trust where it is reasonable - not by default.
Exactly, I wouldn't know what I was looking at probably. We don't really learn malicious programming at uni.