• Victor@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      11 hours ago

      The signal-desktop package on Arch Linux isn’t official either, I’m guessing — should that not be trusted either?

      • AcornTickler@sh.itjust.works
        link
        fedilink
        arrow-up
        14
        arrow-down
        1
        ·
        10 hours ago

        If you don’t trust your distro packages, you should not use that distro. In my mind Arch Linux maintainers are way more trustworthy than a random guy maintaining the Flathub version.

        • Victor@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          9 hours ago

          If you don’t trust your distro packages, you should not use that distro.

          Kind of my point. How high should my trust fence be before I can’t install anything at all. 😅

        • Vincent@feddit.nl
          link
          fedilink
          arrow-up
          3
          arrow-down
          5
          ·
          9 hours ago

          Didn’t Arch just have a major security issue due to their packages essentially being random guys too? (And I think the same thing could theoretically happen to most distributions?)

            • AngryPancake@sh.itjust.works
              link
              fedilink
              arrow-up
              4
              ·
              8 hours ago

              To add to that, the wiki also makes it pretty clear users should be careful. It’s nice to have for packages that aren’t in the main repos, so it makes sense to have it somewhat part of the distro, but it does take manual effort to install aur packages, so in my mind, that’s the best way to do it.

              Big red label at the top: https://wiki.archlinux.org/title/Arch_User_Repository

              Windows users are out there downloading random exe files…

          • Ooops@feddit.org
            link
            fedilink
            arrow-up
            5
            ·
            7 hours ago

            No. Their “here’s also this unofficial repository of builds completely maintained by random community users… USE AT YOUR OWN RISK - You have been warned!” ArchUserRepository got the least used (often long abandoned) packages hijacked by some bad actors.

            But “Less than 1% of the least used packages in the unofficial repository you were explicitly warned about got hijacked by people trying to infect oyur PC” would not have been an interesting headline gathering attention.

            • Vincent@feddit.nl
              link
              fedilink
              arrow-up
              1
              ·
              6 hours ago

              Ah, gotcha! Well, if it’s any consolation, clearly I didn’t click on the clickbaity headline to read the actual low-quality article :P