And just to be very explicit why this is an issue: each time the package is upgraded through an automated update, the PKGBUILD may change (e.g. to adapt to different dependencies, file structure, etc introduced with new app version).
That also means an AUR maintainer can smuggle in malware with any of those updates, even if you checked the original PKGBUiLD when you installed. And, anyone can request taking over maintenance for unmaintained packages, so it can even happen if the original maintainer was benevolent.
Always check PKGBUILD files on upgrade, even if just a glance. If I remember correctly yay had a function to always show you PKGBUILD diffs before updates, not sure if that was automatically enabled.
Yeah, it’s never sat very well with me. I’ve gone through cycles where I’ll use a good bit of AUR, to none at all. I had been using a handful of things, but realized that almost all of it was Python stuff that I could more safely install with pip or uv, so I’ve migrated all of that. The one thing left is Manuskript, and it hardly gets updates anyway.
I just run paru when I do system upgrades. Very convenient to have one command doing everything in a somewhat safe way.
Of course, inspecting the PKGBUILDs still doesn’t protect us from having the actual software repositories compromised. Just because only the source hash changed doesn’t mean the software doesn’t have malware now.
That’s where I draw the line regarding trust. I don’t feel like going into to each release of each AUR package I have installed to check code to see if malware was injected. 😅
As in updating the AUR when you update your system packages, which come from known sources.
And just to be very explicit why this is an issue: each time the package is upgraded through an automated update, the PKGBUILD may change (e.g. to adapt to different dependencies, file structure, etc introduced with new app version).
That also means an AUR maintainer can smuggle in malware with any of those updates, even if you checked the original PKGBUiLD when you installed. And, anyone can request taking over maintenance for unmaintained packages, so it can even happen if the original maintainer was benevolent.
Always check PKGBUILD files on upgrade, even if just a glance. If I remember correctly yay had a function to always show you PKGBUILD diffs before updates, not sure if that was automatically enabled.
Paru shows them by default, and it’s basically impossible to disable.
It is a little too easy to skip past it, though.
Yeah, it’s never sat very well with me. I’ve gone through cycles where I’ll use a good bit of AUR, to none at all. I had been using a handful of things, but realized that almost all of it was Python stuff that I could more safely install with pip or uv, so I’ve migrated all of that. The one thing left is Manuskript, and it hardly gets updates anyway.
Paru shows you the diffs by default.
I just run
paruwhen I do system upgrades. Very convenient to have one command doing everything in a somewhat safe way.Of course, inspecting the PKGBUILDs still doesn’t protect us from having the actual software repositories compromised. Just because only the source hash changed doesn’t mean the software doesn’t have malware now.
That’s where I draw the line regarding trust. I don’t feel like going into to each release of each AUR package I have installed to check code to see if malware was injected. 😅