Comment by cowmix
4 hours ago
Running CachyOS has overall been great for me in the past year but the AUR supply chain attack (or whatever it was exactly) was a little unnerving.
4 hours ago
Running CachyOS has overall been great for me in the past year but the AUR supply chain attack (or whatever it was exactly) was a little unnerving.
Yeah I really enjoyed Cachy but the model of using the AUR to install third party applications just seems broken. I don't want to have to trust some random install script maintainer in addition to the 3p app developer. And sadly I don't have the time and attention to spare to review the AUR scripts of apps every time I update.
I switched to Kubuntu to keep KDE (which I really found I enjoyed from Cachy) while using a more stable and familiar ubuntu base. It's not one of the "gaming" distros but I haven't noticed any major drawbacks with the games I play.
I have not needed AUR support for games. The only time I was tempted to install an AUR package was on my laptop for Zoom chat. My gaming machine will never see any of those packages.
I also just moved from Linux Mint to Cachy and haven't had to use a single AUR package (yet). I use some relatively obscure programs too.
CachyOS does pull some packages from the AUR into the CachyOS repo, but they state that they go through a validation process first.
The AUR is very user managed and orphaned packages can be picked up I guess to continue maintenance. Obviously, this can lead to some issues. It's one of the tradeoffs for a heavily user supplied repository of packages. You get a lot of good stuff quickly, but I personally will stick with Debian.
https://cybersecuritynews.com/arch-linux-aur-packages-compro...
I've been CatchyOS curious, but AUR is exactly what's been keeping me using Fedora.
I hope official, veted Arch repositories grow over time.
It's simple: Don't use the AUR to download anything if you're worried. AUR is like COPR.
That's what I'd probably do, but I'm a software engineer and devops person that also likes to tinker, so I like to have a lot of packages available. Fedora with its 80k packages (~30k apps) has been a blessing.
In comparison, Arch official repos only have 15k packages (~10k apps). There are ways to plug the gap (such as compile missing packages, add Nix package manager), but it's even better if you don't have to.
I was nervous about this too - but it's "just" the AUR. That means it's only unofficial packages, which we should always take great care when installing anyway.
How many packages are you using from AUR vs the official repos though? The official repos have almost everything I need