← Back to context

Comment by 0x38B

4 days ago

How is that an unacceptable threat model for a repo of packages that are optional and user-made? One that clearly says, "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk." (1)

The AUR, along with Arch's minimalism, is one of my favorite things about it. Instead of cloning the source repo, reading the build instructions, building, and then installing, I download a script, read it to make sure it looks okay (e.g. the source points to what I expect), and then `makepkg -si`.

> The way I see it installing software from the AUR is about as safe as installing software from the pirate bay.

No, if I trust the source - and I often follow the source link to GitHub to check out the project - then it's like one of my distro's packages, except I'm the one saying it's safe for me to install. I'm not claiming it's risk free, but it's been a great boon to me. (2)

1: https://aur.archlinux.org/

2: I used the AUR to compile and install Goldendict-ng, a fork of the dictionary software Goldendict that's being maintained. It accepts my Stardict converted-from-Apple dictionaries and supports Wayland!

1 comment

0x38B

Reply
wasmperson  4 days ago

> How is that an unacceptable threat model for a repo of packages that are optional and user-made? One that clearly says, "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk." (1)

The AUR is an official part of Arch Linux. It's hosted on the archlinux.org domain with a prominent link to it from the main page. You enable package installation from it either using one of the many transparent pacman wrappers recommended in arch community spaces and on the arch wiki, or by ticking a checkbox in a graphical package manager like pamac. IMO a one-line disclaimer on the aur main page doesn't fix the problem at all.

Security isn't about the trustworthiness of the code you're running, it's about the trustworthiness of the person who's giving you the code. No matter how good you are at auditing bash scripts, there's a malicious bash script that will slip by you, even if you're diligent (which most aren't, even among so-called "power users"). With official packages, I have to trust the people who distribute my OS. With vendor-distributed software (Windows software, PPA, curl | sh) I have to trust the person who wrote the software. With the AUR, I have to trust the first person to park the name of the package.