Comment by Barrin92
1 day ago
>But the AUR isn't Arch's main distribution model, and the official Arch repositories contain a ton of packages in the core, so not even the "barebones core" is correct here.
I don't think that narrative is supported by the numbers. Arch's repositories are about a magnitude smaller than either the AUR or "batteries included" distributions like Debian. (about 10k to 100k packages), there are more people using Arch derivatives than arch, and according to some community polls, granted I can't verify their methodology, something north of 90% of arch users use the AUR.
If you look at the most popular packages in the AUR, it's the most popular web browsers, virtually every VPN client, popular professional software like davinci, incredibly popular messaging clients, Spotify, Zoom, billion+ userbase software and the vast majority of password managers.
And if you look at who maintains those, it isn't the company, in many cases it's a random pseudonymous user who doesn't show up on Google. And I don't get this strange aggressive tone of suggesting I use something else. I do already, because as should be obvious I think that's a bonkers security model, but it deserves to be pointed out.
I do not think that the majority of people running arch today in practice realizes that their password manager they installed from that repo everyone uses is managed by an absolutely random person on the internet.
> I don't think that narrative is supported by the numbers
Why are you looking at numbers? Arch Linux's official way of distributing software to it's users are the repositories called "core", "extra" and "multilib", anything else than those are "unofficial" and user's responsibility to how they handle it. No need to look at any numbers, literally go to Arch Linux's website and read how it works if you don't know since before.
> there are more people using Arch derivatives than arch
May be, find it hard to believe that's true outside of gaming, but regardless, that doesn't mean suddenly the AUR becomes safe. And if the complaint is about how these Arch-derivitives educate their users, go to their message boards and share this, that has little to do with Arch Linux itself, literally why there are multiple distributions in the first place.
> something north of 90% of arch users use the AUR.
Yes, like me, and probably every other Arch Linux user. I'm sure every developer on macOS at one time uses the terminal, does that mean "rm -rf" suddenly needs to go away?
> it's a random pseudonymous user who doesn't show up on Google
So what, why it matters? All that matters is that the package does what you expect, and use official sources if that's the point. My password manager's AUR package is built by someone I don't even recall the username of, is this a problem in practice? No, because I do what my OS tells me and reviews random 3rd party software I download from the internet. Every time I upgrade, I see that the only thing changing is the URL which points to the official domain, and a content-hash, that's it. The user could be a pirate in Somalia for all I care.
> I do not think that the majority of people running arch today in practice realizes that their password manager they installed from that repo everyone uses is managed by an absolutely random person on the internet.
I think if you look at a certain sub-section of users who install and do things without thinking, you're absolutely correct. But I don't think the rest of the user base who uses Arch for the very value proposition it offers, should suffer because there is a small sub-section of users who install OSes based on what influencers are pushing to their viewers today.