this post was submitted on 29 Feb 2024
204 points (98.1% liked)
Open Source
31061 readers
593 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You mean laughs!
AUR has just as much ability to fuck you over as piping curl to sh as an installation method.
Check your PKGBUILDs every single time and make sure you (still!) trust whatever repos it's pulling the source/binaries from.
I completely agree with you on the ability part. There already have been cases where there was malware in the AUR.
But the wiki specifically states to read the PKGBUILD and check the source url content before installing.
I don't think the system is at fault here. I mean, getting viruses/malware has always been mostly due to lazyness, user error and lack of knowledge.
If you're actually vetting PKGBUILD, I don't think there is a single one I've installed that doesn't download some blob. There is no way of knowing if it's OK, unless you also sift through that. I don't think anyone does. I certainly don't.
Most of mine download source and compile it or plain scripts like python/bash and move them some place.
If it is a -bin, I check the url and checksum to be sure that it comes from the official source and obviously I do not install software from companies that I do not trust. (and yes, every update. I have a dedicated timeslot in my calendar for that)
I don't know what type of blob you mean which would require any additional treatment like.