I get what you mean, but people are stupid. There needs to be guardrails to prevent these things from happening. That’s why the AUR is a bad idea and it should be shut down.
You want your software to be available for a distro? Go through the proper channels. Submit it for review and get it approved. If you stop maintaining it, they remove it. Plain and simple.
That’s why you don’t have this problem with other distros. Arch made it too easy to download and install unverified, untested, potentially malicious software through the AUR and now every idiot that thinks they know what they’re doing are infecting their systems.
There are some software that I only have because of AUR. For example, Brother printer drivers.
AUR is a great option to have. It doesn’t mean people should use it for everything, when there’s a perfectly capable version of the same software downloadable from Arch, Flathub or even through Distrobox.
Having options is a good thing, people just need to take care.
In fact, downloading something from AUR without checking it is hardly more dangerous than adding PPAs in Ubuntu.
Hahahahaha they also come in Debian .deb and Fedora .rpm packages. That’s why I never got this problem with my hardware on Ubuntu or Debian.
That is exactly why the AUR exists. To repackage that vendor’s .deb into something Arch can safely manage. This makes Arch support to 3rd party apps almost unbeatable.
And you’re right: PPAs are not the same… in this regard they’re actually worse. AUR is at least in plain text and the documentation is clear: always check the PKGBUILD. When you add PPAs you’re blindly trusting a 3rd party repository and updating them with sudo.
You can’t burn the whole thing down just because, in your own words, “people are stupid”. They either read the documentation and follow the security policies, or they stick with Arch and Flathub. Or, they can simply choose a different distro. It’s that simple.
The thing is, I agree that AUR could have some sort of protection, such as a rate-limiting or a reputation system. But even as is, AUR is still an excellent feature that should definitely be maintained. And people, specially using Linux, definitely should educate themselves instead of exclusively rely on strangers for all their digital security.
Debian or Fedora don’t need an AUR because vendors provide the packages themselves. And you know where they’re coming from. You have the largest collection of software packages available, plus the 3rd party official packages available to download.
As for the PPAs, they’re often provided by the software distributor themselves. Like Proton, or Wine. Most of the time you know who’s providing the PPA. Ubuntu also keeps a close watch over these and will act if a malicious PPA is found. It won’t take a lot of time before the PPA is taken down to prevent the spread. So it’s relatively safer than a free for all repo where everybody is contributing and unmaintained packages get taken over. So, no. PPAs are not more dangerous than AUR.___
Saying that Debian and Fedora don’t need an AUR because vendors provide packages, implying these distros are pratically immune to third-party malware is totally false. Fedora has COPR, openSUSE has OBS, and Ubuntu/Debian rely heavily on PPAs and random deb downloads from websites. See xz-utils: https://en.wikipedia.org/wiki/XZ_Utils_backdoor
Most FOSS developers do NOT have the time or infrastructure to package for every distro. They provide source code on GitHub. The AUR exists to translate that source (or a vendor’s deb) into a native Arch package. Furthermore, downloading a random deb from a vendor’s obscure website and installing it with dpkg (which runs pre-install scripts as root) is arguably less safe than a PKGBUILD that downloads the exact same binary from the vendor’s official mirror, unpacks it, and lets you read exactly what it does before you run it.
Your conception of PPAs is riddled of misconceptions. Absolutely anyone can create a PPA. Canonical does not verify the identity of the uploader beyond email confirmation. Launchpad is flooded with unofficial, community-maintained PPAs that are no more “official” than an AUR maintainer.
Also, Ubuntu does NOT proactively audit the source code or binaries inside PPAs. They takes a PPA down after it has been reported and confirmed malicious, exactly the same as the Arch maintainers do with the AUR.
A PKGBUILD is a plain-text shell script. You can read the exact source URL, the compilation flags, and the install commands. A PPA provides a pre-compiled binary file. You have pretty much zero idea what is inside that binary. Blindly giving sudo access to a binary PPA is objectively more dangerous than auditing a 20-line bash script that compiles source code before running.
There has been approximately 1000 infected packages in the AUR on Arch. And that’s just in the latest incident, because that’s not even the only incident.
Now tell me how many times this happened with PPAs? OR COPR or OBS?
Also, I’m very aware of the xz-utils exploit that happened last year. And do you know what distros were affected? Beta and testing versions of Fedora and Debian, which are not the most widely used versions of these distros. They are not meant for the public, but for developers and testers. However, the latest stable Arch was affected. Here’s the source.
There’s no comparison between this AUR even and the xz-utils backdoor problem that was resolved nearly immediately and hasn’t happened again. Meanwhile the AUR keeps getting infected and, like I mentioned, there’s been several occurrences of this.
Ubuntu relies on the community to be notified of problematic PPAs, and these are resolved swiftly. I cannot recall the last time there was an incident with a PPA because they are so rare. So, again, there is no comparison to make.
And who reads the PKGBUILD scripts??? Most users don’t bother. And that’s the problem.
I’ve been using Linux for 26 years and have even worked for a distro myself. Arch is a great Linux distro if you want to build a lean distro with bleeding edge shit. But, it’s vulnerable to vulnerabilities due to it being too bleeding edge with little oversight and malware through the AUR. If you want to use this, then by all means, go ahead.
But my gripe is with this, and other communities, where people are pitching Arch or Arch-based distros to nearly everybody as the de-facto go-to, especially if you’re into gaming. And I have a problem with that. I also have a problem with its users that will blindingly defend this distro and outright refuse to see the problems, like it’s some kind of cult.
AUR is not unique in being a user repository, but it seems somewhat unique in having basically zero oversight. Which is a bad idea for reasons that should be painfully obvious by now.
For comparison, Gentoo’s GURU repository allows everyone to submit packages, but limits the ability to accept these submissions to a subset of trusted users
The AUR domain is aur.archlinux.org and it is linked from the menu-bar on archlinux.org. If AUR is not official, then the Arch sure is sending mixed signals to its users
It’s officially centrally hosting the non-pre-moderated non-official user contributed build-scripts, where “user” means literally anyone.
I’m not sure what argument you’re trying to “win”, and to what end. Or why do you think anyone would care about the manufactured confusion you’re trying to concoct.
Which is not much different from the disclaimer about GURU, though GURU does a much better job at explaining the risks involved in using it:
Disclaimer
Please note that the GURU project is maintained and reviewed entirely by Gentoo users. It is only subject to minimal supervision from individual Gentoo developers, and is not supported by projects such as Gentoo Security. While our Trusted Contributors do their best to keep GURU safe, it is possible for it to contain vulnerable, badly broken or even malicious software. You are using it on your own responsibility.
I don’t use any AUR packages, I don’t even have an AUR helper installed ATM, If it’s not in core/extra/multilib I use Flatpak. Generally I will go to Flatpak’s for userland apps, Krita and Firefox are both in extra (I think?) I still use the Flatpak’s for both. If I’m going to use the AUR I would generally prefer to just build from source.
I stopped using it a while ago, and I get all my non arch packaged packages from nixpkgs. Nixpkgs is bigger than the AUR and the Arch repos combined. It has pretty much all of the stuff I would have otherwise gotten from the AUR. But I find Nixos frustrating to use, so I stick to Arch.
I felt extremely vindicated in my decision to avoid the AUR when the AUR malware happened.
In control of installing malware?
I get what you mean, but people are stupid. There needs to be guardrails to prevent these things from happening. That’s why the AUR is a bad idea and it should be shut down.
You want your software to be available for a distro? Go through the proper channels. Submit it for review and get it approved. If you stop maintaining it, they remove it. Plain and simple.
That’s why you don’t have this problem with other distros. Arch made it too easy to download and install unverified, untested, potentially malicious software through the AUR and now every idiot that thinks they know what they’re doing are infecting their systems.
There are some software that I only have because of AUR. For example, Brother printer drivers.
AUR is a great option to have. It doesn’t mean people should use it for everything, when there’s a perfectly capable version of the same software downloadable from Arch, Flathub or even through Distrobox.
Having options is a good thing, people just need to take care.
In fact, downloading something from AUR without checking it is hardly more dangerous than adding PPAs in Ubuntu.
Hahahahaha they also come in Debian .deb and Fedora .rpm packages. That’s why I never got this problem with my hardware on Ubuntu or Debian.
And no it’s not the same as PPAs.
That is exactly why the AUR exists. To repackage that vendor’s .deb into something Arch can safely manage. This makes Arch support to 3rd party apps almost unbeatable.
And you’re right: PPAs are not the same… in this regard they’re actually worse. AUR is at least in plain text and the documentation is clear: always check the PKGBUILD. When you add PPAs you’re blindly trusting a 3rd party repository and updating them with sudo.
You can’t burn the whole thing down just because, in your own words, “people are stupid”. They either read the documentation and follow the security policies, or they stick with Arch and Flathub. Or, they can simply choose a different distro. It’s that simple.
The thing is, I agree that AUR could have some sort of protection, such as a rate-limiting or a reputation system. But even as is, AUR is still an excellent feature that should definitely be maintained. And people, specially using Linux, definitely should educate themselves instead of exclusively rely on strangers for all their digital security.
Edited for extra clarification.
You completely missed the point.
Debian or Fedora don’t need an AUR because vendors provide the packages themselves. And you know where they’re coming from. You have the largest collection of software packages available, plus the 3rd party official packages available to download.
As for the PPAs, they’re often provided by the software distributor themselves. Like Proton, or Wine. Most of the time you know who’s providing the PPA. Ubuntu also keeps a close watch over these and will act if a malicious PPA is found. It won’t take a lot of time before the PPA is taken down to prevent the spread. So it’s relatively safer than a free for all repo where everybody is contributing and unmaintained packages get taken over. So, no. PPAs are not more dangerous than AUR.___
I didn’t.
Saying that Debian and Fedora don’t need an AUR because vendors provide packages, implying these distros are pratically immune to third-party malware is totally false. Fedora has COPR, openSUSE has OBS, and Ubuntu/Debian rely heavily on PPAs and random deb downloads from websites. See xz-utils: https://en.wikipedia.org/wiki/XZ_Utils_backdoor
Most FOSS developers do NOT have the time or infrastructure to package for every distro. They provide source code on GitHub. The AUR exists to translate that source (or a vendor’s deb) into a native Arch package. Furthermore, downloading a random deb from a vendor’s obscure website and installing it with dpkg (which runs pre-install scripts as root) is arguably less safe than a PKGBUILD that downloads the exact same binary from the vendor’s official mirror, unpacks it, and lets you read exactly what it does before you run it.
Your conception of PPAs is riddled of misconceptions. Absolutely anyone can create a PPA. Canonical does not verify the identity of the uploader beyond email confirmation. Launchpad is flooded with unofficial, community-maintained PPAs that are no more “official” than an AUR maintainer.
Also, Ubuntu does NOT proactively audit the source code or binaries inside PPAs. They takes a PPA down after it has been reported and confirmed malicious, exactly the same as the Arch maintainers do with the AUR.
A PKGBUILD is a plain-text shell script. You can read the exact source URL, the compilation flags, and the install commands. A PPA provides a pre-compiled binary file. You have pretty much zero idea what is inside that binary. Blindly giving sudo access to a binary PPA is objectively more dangerous than auditing a 20-line bash script that compiles source code before running.
There has been approximately 1000 infected packages in the AUR on Arch. And that’s just in the latest incident, because that’s not even the only incident.
Now tell me how many times this happened with PPAs? OR COPR or OBS?
Also, I’m very aware of the xz-utils exploit that happened last year. And do you know what distros were affected? Beta and testing versions of Fedora and Debian, which are not the most widely used versions of these distros. They are not meant for the public, but for developers and testers. However, the latest stable Arch was affected. Here’s the source.
There’s no comparison between this AUR even and the xz-utils backdoor problem that was resolved nearly immediately and hasn’t happened again. Meanwhile the AUR keeps getting infected and, like I mentioned, there’s been several occurrences of this.
Ubuntu relies on the community to be notified of problematic PPAs, and these are resolved swiftly. I cannot recall the last time there was an incident with a PPA because they are so rare. So, again, there is no comparison to make.
And who reads the PKGBUILD scripts??? Most users don’t bother. And that’s the problem.
I’ve been using Linux for 26 years and have even worked for a distro myself. Arch is a great Linux distro if you want to build a lean distro with bleeding edge shit. But, it’s vulnerable to vulnerabilities due to it being too bleeding edge with little oversight and malware through the AUR. If you want to use this, then by all means, go ahead.
But my gripe is with this, and other communities, where people are pitching Arch or Arch-based distros to nearly everybody as the de-facto go-to, especially if you’re into gaming. And I have a problem with that. I also have a problem with its users that will blindingly defend this distro and outright refuse to see the problems, like it’s some kind of cult.
https://archlinux.org/about/
Versatile, sure.
But Arch is anything but simple. The proof is the number of Arch spinoffs that were made to make it easier to install and use.
And any distro can be for competent Linux users. I mean, Linus Torvalds uses Fedora. I don’t think theres a more competent user than him.
There’s conceptual simplicity and there’s UX. Arch is mostly the former.
Arch USER Repository. Use the official repositories if it’s a concern.
AUR is not unique in being a user repository, but it seems somewhat unique in having basically zero oversight. Which is a bad idea for reasons that should be painfully obvious by now.
For comparison, Gentoo’s GURU repository allows everyone to submit packages, but limits the ability to accept these submissions to a subset of trusted users
All community projects are open contribution. Most non-community ones too. You know, almost the whole point of open-source!
But that’s not the same as “user repo”, which is a wild west concept on purpose.
GURU bills itself as an official repository that’s user-maintained. AUR makes no claims of being official as far as I can see from their website.
The AUR domain is aur.archlinux.org and it is linked from the menu-bar on archlinux.org. If AUR is not official, then the Arch sure is sending mixed signals to its users
Absolutely 100%.
Not to mention it’s in most of the solutions to every problem Arch users face.
It’s officially centrally hosting the non-pre-moderated non-official user contributed build-scripts, where “user” means literally anyone.
I’m not sure what argument you’re trying to “win”, and to what end. Or why do you think anyone would care about the manufactured confusion you’re trying to concoct.
With a nice, big disclaimer.
Which is not much different from the disclaimer about GURU, though GURU does a much better job at explaining the risks involved in using it:
Who here has NEVER used the AUR with their Arch install raise your hand. I’ll wait.
I don’t use any AUR packages, I don’t even have an AUR helper installed ATM, If it’s not in core/extra/multilib I use Flatpak. Generally I will go to Flatpak’s for userland apps, Krita and Firefox are both in extra (I think?) I still use the Flatpak’s for both. If I’m going to use the AUR I would generally prefer to just build from source.
That’s pretty sound.
Me!!
I stopped using it a while ago, and I get all my non arch packaged packages from nixpkgs. Nixpkgs is bigger than the AUR and the Arch repos combined. It has pretty much all of the stuff I would have otherwise gotten from the AUR. But I find Nixos frustrating to use, so I stick to Arch.
I felt extremely vindicated in my decision to avoid the AUR when the AUR malware happened.
I bet!