this post was submitted on 13 Jun 2026
73 points (98.7% liked)
Arch Linux
9793 readers
2 users here now
The beloved lightweight distro
founded 6 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Or make it so that the AUR has a modicum of security and not allow brand new accounts to adopt orphaned packages and immediately push out malware without any form or reviews, checks, or interventions.
It’s basically a public wiki of scripts, being editable by anyone is the entire point. If you don’t want to run random scripts from random people, don’t use AUR.
If I copy paste a malicious script here and you run it without knowing/checking what it do, do you think your instance admin should also put more rules and restrictions for the whole instance? AUR is no different than github or pastebin. It is on the user to vet what script they are running. Arch already has a more strict and vetted repo by the maintainer. Having AUR be a vetted place has no real good solution because of easy botting.
Oh, very rigorous software engineering standards.
That's not what the AUR does. They simply provide a platform for users to share build scripts. There isn't much they can do beyond trying to vet accounts based on flimsy metrics, or weeding things out every now and then.
The problem is that some people and even distros treat the AUR as a trusted source of software.
All user repositories (javascript, Python etc.) suffer from malware btw.; the AUR is different in that it explicitely puts the responsibility of building packages on the user.
...
~~I'm still missing some palpable information about these injections/malwares.~~
https://bbs.archlinux.org/viewtopic.php?id=313892
Absolutely ludicrous. These are very very strong packages.
Is that not the case already? If not I'm sure it'll be one of the fixes.
Well, there are regulations governing the code they can be made of.