I keep hearing this claim online but the Arch bible (which you really should be familiar with if you use Arch) and pretty much everyone that knows anything will tell you that the AUR is useful, but not something to blindly use. I recommend everyone check the PKGBUILD, verify the source URLs are correct, and check the diffs when updating. It’s not that much effort.
And since it comes from a single (user) package repository, you’ll probably have hundreds of people doing the same, or even going a step or two further and looking into the code, reporting the package if anything bad is going on. Still miles better than downloading .exe files you find from a Google search, even if you were lazy and didn’t do the aforementioned checks. (But if you don’t do that, you should probably just use Flatpaks or similar.)
All official resources, Arch maintainers and high quality guides have been putting a ton of effort into teaching people how to use the AUR safely. That hasn’t stopped some people, even back before Arch got really popular, but you can’t reach everyone. Alternative package managers and pacman wrappers made the AUR a lot more accessible, which isn’t necessarily a bad thing, but there are good reasons for all the caution. Combine that with Arch increasing in popularity and getting picked up by all the shitty influencers and you get a lot of people ,who don’t know what they’re doing, installing everything from the AUR with their CLI/GUI of choice. Then you’ve got Arch derivatives making AUR packages easily accessible from the start, bad advice on places like reddit etc.
Long story short: it seems that over the years whenever I check in, users that barely know how it works are happily installing random shit from random people on the AUR because they saw it in a YT video or something.
That makes sense, but what’s the alternative here? Linux is freedom, so that means freedom to run / install anything you want, including malware if you’re not careful. Maybe if you discourage people from using the AUR, they will install it through other means, like a developer-provided Flatpak or AppImage. But if that’s not available or doesn’t work, then it’s nothing (= sad user), or you’re back to “Google, then download an .exe the first thing you can run” or just curl | sh. Is that better? (Assuming we’re still talking about the kind of people who would skip vetting what they install.)
I keep hearing this claim online but the Arch bible (which you really should be familiar with if you use Arch) and pretty much everyone that knows anything will tell you that the AUR is useful, but not something to blindly use. I recommend everyone check the
PKGBUILD, verify the source URLs are correct, and check the diffs when updating. It’s not that much effort.And since it comes from a single (user) package repository, you’ll probably have hundreds of people doing the same, or even going a step or two further and looking into the code, reporting the package if anything bad is going on. Still miles better than downloading
.exefiles you find from a Google search, even if you were lazy and didn’t do the aforementioned checks. (But if you don’t do that, you should probably just use Flatpaks or similar.)All official resources, Arch maintainers and high quality guides have been putting a ton of effort into teaching people how to use the AUR safely. That hasn’t stopped some people, even back before Arch got really popular, but you can’t reach everyone. Alternative package managers and pacman wrappers made the AUR a lot more accessible, which isn’t necessarily a bad thing, but there are good reasons for all the caution. Combine that with Arch increasing in popularity and getting picked up by all the shitty influencers and you get a lot of people ,who don’t know what they’re doing, installing everything from the AUR with their CLI/GUI of choice. Then you’ve got Arch derivatives making AUR packages easily accessible from the start, bad advice on places like reddit etc.
Long story short: it seems that over the years whenever I check in, users that barely know how it works are happily installing random shit from random people on the AUR because they saw it in a YT video or something.
That makes sense, but what’s the alternative here? Linux is freedom, so that means freedom to run / install anything you want, including malware if you’re not careful. Maybe if you discourage people from using the AUR, they will install it through other means, like a developer-provided Flatpak or AppImage. But if that’s not available or doesn’t work, then it’s nothing (= sad user), or you’re back to “Google, then download
an .exethe first thing you can run” or justcurl | sh. Is that better? (Assuming we’re still talking about the kind of people who would skip vetting what they install.)