this post was submitted on 15 Jun 2026
578 points (97.4% liked)

linuxmemes

31752 readers
1506 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
    • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn, no politics, no trolling or ragebaiting.
  • Don't come looking for advice, this is not the right community.
    • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
    • 5. πŸ‡¬πŸ‡§ Language/язык/Sprache
  • This is primarily an English-speaking community. πŸ‡¬πŸ‡§πŸ‡¦πŸ‡ΊπŸ‡ΊπŸ‡Έ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
    • 6. (NEW!) Regarding public figuresWe all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.
  • Keep discussions polite and free of disparagement.
  • We are never in possession of all of the facts. Defamatory comments will not be tolerated.
  • Discussions that get too heated will be locked and offending comments removed.
    • Β 

    Please report posts and comments that break these rules!

    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 3 years ago
    MODERATORS
    poopsmith@lemmy.world
    zephyr@lemmy.world
    rtxn@lemmy.world
    578
    Where the AUR users at? (lemmy.world)
    submitted 1 day ago by cannedtuna@lemmy.world to c/linuxmemes@lemmy.world
    105 comments fedilink hide all child comments
     
    you are viewing a single comment's thread
    view the rest of the comments
    [–] rtxn@lemmy.world 37 points 22 hours ago* (last edited 22 hours ago) (3 children)

    The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).

    But if it starts downloading anything from NPM... ^C and run.

    [–] plutopos@lemmy.zip 2 points 2 hours ago

    But Windows has a flourishing antimalware ecosystem. That's missing in Linux imo

    [–] 30p87@feddit.org 19 points 21 hours ago (2 children)

    The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo

    [–] CubitOom@infosec.pub 7 points 18 hours ago (1 children)

    I'm not entirely sure I agree, I think the issue is with default settings.

    Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that's pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.

    [–] bitfucker@programming.dev 3 points 6 hours ago (1 children)

    Yeah, use and promote aurto instead. They require you to trust the maintainer and would remove the package from the local repo if the maintainer is changed

    [–] CubitOom@infosec.pub 2 points 1 hour ago (1 children)

    I'm not sure if loosing the maintainer is to only thing we should be going off of here, but I like the name.

    [–] bitfucker@programming.dev 1 points 28 minutes ago

    Well, it is just like a distro maintainer account anyway. If the maintainer account is compromised then gg for the whole distro. That's what happens with other supply chain attacks as well and yes, I do think we need a way to fix that without compromising on ease of usability

    [–] arschflugkoerper@feddit.org 6 points 19 hours ago

    Ye my reaction to this was basically uninstalling yay to force me to do it manually

    [–] pewgar_seemsimandroid@lemmy.blahaj.zone 1 points 21 hours ago

    appimages are kinda like portable app versions.