Or make it so that the AUR has a modicum of security and not allow brand new accounts to adopt orphaned packages and immediately push out malware without any form or reviews, checks, or interventions.
If I copy paste a malicious script here and you run it without knowing/checking what it do, do you think your instance admin should also put more rules and restrictions for the whole instance? AUR is no different than github or pastebin. It is on the user to vet what script they are running. Arch already has a more strict and vetted repo by the maintainer. Having AUR be a vetted place has no real good solution because of easy botting.
It’s basically a public wiki of scripts, being editable by anyone is the entire point.
If you don’t want to run random scripts from random people, don’t use AUR.
That’s not what the AUR does. They simply provide a platform for users to share build scripts. There isn’t much they can do beyond trying to vet accounts based on flimsy metrics, or weeding things out every now and then.
The problem is that some people and even distros treat the AUR as a trusted source of software.
All user repositories (javascript, Python etc.) suffer from malware btw.; the AUR is different in that it explicitely puts the responsibility of building packages on the user.
Or make it so that the AUR has a modicum of security and not allow brand new accounts to adopt orphaned packages and immediately push out malware without any form or reviews, checks, or interventions.
If I copy paste a malicious script here and you run it without knowing/checking what it do, do you think your instance admin should also put more rules and restrictions for the whole instance? AUR is no different than github or pastebin. It is on the user to vet what script they are running. Arch already has a more strict and vetted repo by the maintainer. Having AUR be a vetted place has no real good solution because of easy botting.
It’s basically a public wiki of scripts, being editable by anyone is the entire point. If you don’t want to run random scripts from random people, don’t use AUR.
Oh, very rigorous software engineering standards.
That’s not what the AUR does. They simply provide a platform for users to share build scripts. There isn’t much they can do beyond trying to vet accounts based on flimsy metrics, or weeding things out every now and then.
The problem is that some people and even distros treat the AUR as a trusted source of software.
All user repositories (javascript, Python etc.) suffer from malware btw.; the AUR is different in that it explicitely puts the responsibility of building packages on the user.
…
I’m still missing some palpable information about these injections/malwares.https://bbs.archlinux.org/viewtopic.php?id=313892
Absolutely ludicrous. These are very very strong packages.
Is that not the case already? If not I’m sure it’ll be one of the fixes.
Well, there are regulations governing the code they can be made of.