Electric GremlinJul 18, 2025

Ah cool, Archlinux had another oopsie-whoopsie that was only communicated on the mailing lists.

They found malware on the AUR. Reminder that anyone can put stuff on the AUR and when an AUR client offers to let you inspect the package build scripts, it's because it's no one's job to make sure the package is safe.

"But people tell me to install stuff off the AUR all the time and I'm no dev that can understand these scripts" -- Yup! This is one of Arch's primary problems. It's why they make it non-trivial to bootstrap into getting stuff off AUR to begin with, but that's not enough when 98% of Arch users need something off it.

Weh.

[SECURITY] firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin AUR packages contain malware - Aur-general - lists.archlinux.org

Show threadVertex 🔞Jul 18, 2025
@trysdyn @eclairwolf encouraging users to use random community maintained packages over ones in robust distribution repositories is a terrible practice
Show threadéclair (dragon arc) Jul 18, 2025
@livingshredder @trysdyn extremely agree. also can not count the number of aur packages that are just fuckin' broken out of the box lmao
Show threadOleksandr Natalenko, MSE Jul 19, 2025

None of this is Arch issue. There's no AUR helper in the repos even, let alone any official encouragement to use it, everything the user is doing is at their own risk.

@eclairwolf @livingshredder @trysdyn

Show threadVertex 🔞Jul 19, 2025
@oleksandr @eclairwolf @trysdyn Yeah, but AUR packages are linked all over the wiki on pretty much every page. I feel like that counts as encouragement
Show threadOleksandr Natalenko, MSE 

@livingshredder wiki is massively contributed to by… users

@eclairwolf @trysdyn

Jul 19, 2025 at 9:24pmWeb