Is thr solution truly to tell people to read the build instructions and decide if a package is safe? I’m not an arch user, but I’ve used nixos and assessing nixpkg before installation gets old real quick real fast. Somehow I really doubt telling an average user to assessing pkgbuild on their own will be very effective.
It is a different situation, because Nix packages are part of the Nix distributdis, while AUR packages are not part of Arch. AUR packages are more like Ubuntu ppa’s, you can add and run them, but you are on your own risk.
Also,it is a huge number of packages (about 114,000) which are each used by relatively few people. Each arch user has in average probably only a few of these.
So, it makes sense that users review them by themselves. If you can’t do that, you should probably not use them.
The onus here is on Arch-based distros that decide this vast collection of build scripts equals a software repo, is a good “selling” point, and decide to integrate it into the distro or even the package management.
All that said, the AUR is not the only user repo that is plagued. These sort of malware attacks need to be addressed somehow.
Well damn, I wouldn’t have expected that average arch users needed to know how to assess pkgbuilds given how enthusiastically arch users have been trying to sell the distro to first time linux users and other newbies.
Is thr solution truly to tell people to read the build instructions and decide if a package is safe? I’m not an arch user, but I’ve used nixos and assessing nixpkg before installation gets old real quick real fast. Somehow I really doubt telling an average user to assessing pkgbuild on their own will be very effective.
It is a different situation, because Nix packages are part of the Nix distributdis, while AUR packages are not part of Arch. AUR packages are more like Ubuntu ppa’s, you can add and run them, but you are on your own risk.
Also,it is a huge number of packages (about 114,000) which are each used by relatively few people. Each arch user has in average probably only a few of these.
So, it makes sense that users review them by themselves. If you can’t do that, you should probably not use them.
It is Archlinux’ mission statement that its average user knows how to do such things. The installation process is based on handling PKGBUILDS. AUR helpers are explicitely unsupported.
The onus here is on Arch-based distros that decide this vast collection of build scripts equals a software repo, is a good “selling” point, and decide to integrate it into the distro or even the package management.
All that said, the AUR is not the only user repo that is plagued. These sort of malware attacks need to be addressed somehow.
Well damn, I wouldn’t have expected that average arch users needed to know how to assess pkgbuilds given how enthusiastically arch users have been trying to sell the distro to first time linux users and other newbies.