Mastodawn

@negativeprimes do you compile everything that's unavailable in official repos by hand? Just curious, it seems to be kinda cumbersome

@pfxel I also don't understand security-wise. I had to compile a driver for a rme sound-card. Philippe Beakaert, a computing professor wrote it. Sadly, he died 2 years ago, and others did fork his project on github to maintain it. Couldn't those people also put malware in the source code? Is source code safer, because it would be more work to maintain, just to inject malware? I am sure there has to be lots of malware on github..

@pfxel I really know nothing and feel like an easy target. I guess malware that gets compiled by a C-compiler is harder to write than a java-script thing

@pfxel To compile a thing, i am executing a Makefile that is full of CLI commands, and it would be easy to drop a line there, no? My two cents are: People like me should never install anything that's not in the official repo. Or join this conversation publicly, i am embarassing :)

@wespi haha, well, I'm not really qualified either, I'm definitely not a security guy. But I was talking more about maintenance - not using AUR means using Flatpak or just cloning and compiling every new version of each package individually. AUR helpers make this more convenient. But about your questions, I think that the language doesn't matter much these days - the bad actors will use some LLM for the coding part. But being open source means it's easier to catch - history and code are public

@pfxel Ok. I really am confused. I mostly git clone from a github project, then i follow build instructions.. Easy target :(
Now, after some thinking i know what i want to say publicly: The feeling embarassment is maybe going trough the whole community. Arch got popular, and using it made me feel smarter than i am. Best we can do now is to donate.

@wespi using something doesn't require you to understand everything about it, so just cloning and building is okay. I use arch as well and sometimes feel exactly the same as you. Doesn't necessarily mean it's true

NegativePrimes 5d ago

@pfxel Thanks for the excellent question! I only use a couple things from outside sources. For one, I simply download the archive directly from the packager's website and install with pacman -U; I trust the provider, as far as it matters, and the package doesn't update often. For the other, I found it in the Debian repos, so I installed it via Distrobox. With an alias to launch it from the command line, you'd never know it was in Distrobox, and it's not something I use often or need to update ever, really.

Of course, everyone's use case is different. I've just never felt comfortable with the AUR, so for me it's been worth finding alternatives.

@negativeprimes oh, that's an interesting approach. I'll copy it to my arsenal if you don't mind :3

NegativePrimes 5d ago

@pfxel Happy to help! 🙂 You've made my day!

Street | Train 🇷🇴

4d ago

@negativeprimes back when I tried arch a lot of the stuff I needed was on AUR :(

NegativePrimes 4d ago

@wststreet I recognize that everyone has different workflows and needs. If you've found a distro that works for you as is, great! :-) For me, I realized that anything that is on the AUR is also available without the AUR. For someone like me who doesn't care to handle compiling from source on my own, I have gotten a lot of mileage from tools like Distrobox to access apps not in the official Arch repositories.

Street | Train 🇷🇴

4d ago

@negativeprimes I'd be curious to try it again one day, the apps I use daily might have changed and maybe there are better ways to get the ones I previously got from AUR.