In the past I had hard times to convince people that the only sane way to use the AUR repository is to manually vet every build script and source. For years people discarded any form of such advice and blindly installed AUR packages left and right. I guess those times are finally over?!

Still I'm somewhat baffled how many, otherwise security aware, people are shocked about the current AUR malware debacle.

What really surprised me is that it took so long for someone or some group to do it.

So I'm asking myself: But what if it hasn't?

What if someone was more cautious, pulled something more sophisticated, only to compromise a "real" package maintainer and had pivoted from there?

One questions how carefully are maintainers using the AUR?!

#aur #archlinux

I deal with the AUR as an Arch user like this:

1.) If a project maintains their own repo, I tend to feel ok using the AUR for it.

2.) For a project either not in the AUR or is but not maintained by the project themselves, I use flatpak if its official, or use distrobox to install the version the project maintains/suggests

Never install from the AUR if the project doesn't maintain the repo themselves

#arch #aur #distrobox

🦾 AURpocalypse now: a look at the recent AUR attacks // LWN

https://lwn.net/SubscriberLink/1077619/f7b07c5489fdd43a/

#AURpocalypse #aur #arch #cybersecurity #opensource

Petrișor Peiu: Trompetele #PSD (#PartidulSocialDemocrat) ne reproșează că nu vrem să votăm un nou guvern #PSD (#PartidulSocialDemocrat)-#NicușorDan. Dar de ce nu-i presează oamenii ăștia pe #NicușorDan și pe #PSD (#PartidulSocialDemocrat) să voteze un guvern #AUR (#AlianțaPentruUnireaRomânilor)?

🔗 https://wp.me/p9KpFA-5maN

#Știri #România #București

Recent waves of corrupted packages on the AUR? A blessing in disguise: it forces us to read PKGBUILDs and remember the dangers of tools like yay.

My golden rule? I never used yay but Install & update AUR packages manually (and check the PKGBUILD! 😅). No blind automation (just my hand made bash scripts).

You know exactly what you install and when.
AUR updates stay separate from official repo upgrades.

Transparency over convenience. #ArchLinux #AUR #Security #SysAdmin #OpenSource

Récente vagues de paquets corrompus sur l'AUR ? Un mal pour un bien : ça force à lire les PKGBUILDs et ca nous rappel les dangers d'utiliser yay (boo ne pas utiliser ca).

Ma règle d'or depuis toujours ? Installer/MAJ les AUR manuellement (maintenant relire leur PKGBUILD) pas d'automatisation (bon j'ai des petits scripts bash).
1. On sait exactement ce qu'on installe et quand.
2. Les maj AUR sont séparées des maj officielles.

#ArchLinux #AUR #Security

Building AUR Packages with Forgejo Actions and Renovate

https://s3lph.me/building-aur-packages-with-forgejo-actions-and-renovate.html

⚠️ Arch users have certainly heard of #atomicarch : attackers hijacked orphaned AUR packages, slipping credential-stealing #malware into PKGBUILD post-install hooks. Official repos are safe - only AUR is hit. A community list of compromised packages has since grown to 1935 entries: https://github.com/lenucksi/aur-malware-check

If you installed or updated any AUR package since June 11 2026, cross-check the output of ‘yay -Qm’ against the list. A match means rotate all credentials and investigate 🔎

#Arch_linux #aur

#GeorgeSimion, președintele pentru partidul extremist #AUR (#AlianțaPentruUnireaRomânilor), a fost reales vicepreședinte pentru partidul 🌍#european ECR.

🔗 https://wp.me/p9KpFA-5ma6

#Știri #România #UE #UniuneaEuropeană #Extremism