From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
My security best practice of forgetting to update for several months in a row finally pays off.
TBH it should be a configurable option on every update tool. On my windows install I have unigetui set to only show updates older than 14 days so winget, pip, etc don't even show brand new updates.
Note that AUR is generally untrusted, and is not an part of the Arch distro (but included in some derivatives). Arch users always were and are warned not to install packages from it without proper inspection. [Added: And adequate inspection just did become very hard!]
I think AUR is great for trying out things and sharing with people you know personally - and not much more.
For installing or distributing established, trusted software that is not part of the Arch distribution, I think Guix is better (which runs fine as an extra package manager in Arch, and has currently 31,000 packages, in spite of that it is relatively young).
But the general thing is one just cannot run untrusted, unverified code. Regardless from where - regardless whether it is AUR or pip or Anaconda or MELPA or Guix or crates.io . In terms of computing, it is like giving a stranger on the street the keys to your house.
Having a competent community reviewing software before it becomes part of a distro is what makes using Linux relatively safe (but not foolproof).
I have never used Arch and I already knew to be careful with the AUR.
Is thr solution truly to tell people to read the build instructions and decide if a package is safe? I'm not an arch user, but I've used nixos and assessing nixpkg before installation gets old real quick real fast. Somehow I really doubt telling an average user to assessing pkgbuild on their own will be very effective.
Somehow I really doubt telling an average user to assessing pkgbuild on their own
Arch Linux is not really made for the average user, and using code from AUR even less so. I doubt it that everyone using Arch+AUR or CachyOS or youname it is served well by this.
And making it kind of accepted norm to run untrusted code as a non-technical user will bite the Arch community in the ass. For Arch, it is a phony measure of success to have many such users.
This is also a result of Windows user attitudes leaking into the Linux universe. You need to discern code and data, and you can't run untrusted code, period.
It is a different situation, because Nix packages are part of the Nix distributdis, while AUR packages are not part of Arch. AUR packages are more like Ubuntu ppa's, you can add and run them, but you are on your own risk.
Also,it is a huge number of packages (about 114,000) which are many used by relatively few people. Each arch user has in average probably only a few of these.
So, it makes sense that users review them by themselves. If you can't do that, you should probably not use them.
average user
It is Archlinux' mission statement that its average user knows how to do such things. The installation process is based on handling PKGBUILDS. AUR helpers are explicitely unsupported.
The onus here is on Arch-based distros that decide this vast collection of build scripts equals a software repo, is a good "selling" point, and decide to integrate it into the distro or even the package management.
All that said, the AUR is not the only user repo that is plagued. These sort of malware attacks need to be addressed somehow.
Well damn, I wouldn't have expected that average arch users needed to know how to assess pkgbuilds given how enthusiastically arch users have been trying to sell the distro to first time linux users and other newbies.
+1 Guix
flathub stays winning?
"But it's 100 MB larger than its AUR equivalent! That means bloat!!" Arch users probably
I wouldn't have a problem if it was only 100 MB. The problem is when a couple of programs amount for several GB of dependencies. I still use flatpaks, but can't have this in general. Flatpaks are more like extremely exceptional in my systems.
it is bloat. also were is your package for (insert any very obscure program). I guess your going to have to rely on appimages or building from source for this one!
Bloat implies the extra space is unused or without utility. The extra bytes in Flathub packages usually come from containerization, which adds a layer of protection for the user and makes apps interoperable across all OSes. It’s also funny that you’re calling those extra bytes bloat in a post where AUR users would have benefited from the containerized design.
Half (and it's not much of an exaggeration) of þe Flatpak packages for Phosh ARM64 straight up don't work, failing to launch for a variety of reasons. Trying to inspect what's going on is an exercise in frustration. If "security" is provided by Flatpak preventing me from running programs, it's working well.
Nah I'll keep my 100 mb and my ego thank you very much!
Daaamn. Guess I know how I'm spending my Saturday.