DISCLAIMER: Arch Linux is not a beginner friendly distribution, and this is not a recommendation or good practice.
I know how to use pacman -S. I have yet to experience a Discover related issue after months of use.
DISCLAIMER: Arch Linux is not a beginner friendly distribution, and this is not a recommendation or good practice.
I know how to use pacman -S. I have yet to experience a Discover related issue after months of use.
I’m not an expert, but I thought on Arch you are specifically not supposed to use the discover store because it can cause partial updates which can in turn cause major problems.
However, the point still stands, pacman and the AUR are easy and have nearly everything.
The AUR is a great resource but it’s also being sold as a package repository users don’t need to actively think about or understand. I honestly think malware is going to be much more common on the AUR if we aren’t careful.
I keep hearing this claim online but the Arch bible (which you really should be familiar with if you use Arch) and pretty much everyone that knows anything will tell you that the AUR is useful, but not something to blindly use. I recommend everyone check the
PKGBUILD, verify the source URLs are correct, and check the diffs when updating. It’s not that much effort.And since it comes from a single (user) package repository, you’ll probably have hundreds of people doing the same, or even going a step or two further and looking into the code, reporting the package if anything bad is going on. Still miles better than downloading
.exefiles you find from a Google search, even if you were lazy and didn’t do the aforementioned checks. (But if you don’t do that, you should probably just use Flatpaks or similar.)All official resources, Arch maintainers and high quality guides have been putting a ton of effort into teaching people how to use the AUR safely. That hasn’t stopped some people, even back before Arch got really popular, but you can’t reach everyone. Alternative package managers and pacman wrappers made the AUR a lot more accessible, which isn’t necessarily a bad thing, but there are good reasons for all the caution. Combine that with Arch increasing in popularity and getting picked up by all the shitty influencers and you get a lot of people ,who don’t know what they’re doing, installing everything from the AUR with their CLI/GUI of choice. Then you’ve got Arch derivatives making AUR packages easily accessible from the start, bad advice on places like reddit etc.
Long story short: it seems that over the years whenever I check in, users that barely know how it works are happily installing random shit from random people on the AUR because they saw it in a YT video or something.
That makes sense, but what’s the alternative here? Linux is freedom, so that means freedom to run / install anything you want, including malware if you’re not careful. Maybe if you discourage people from using the AUR, they will install it through other means, like a developer-provided Flatpak or AppImage. But if that’s not available or doesn’t work, then it’s nothing (= sad user), or you’re back to “Google, then download
an .exethe first thing you can run” or justcurl | sh. Is that better? (Assuming we’re still talking about the kind of people who would skip vetting what they install.)I mean, yeah that would be my solution. I get that the AUR is attractive, precisely because it has a low barrier for anyone to submit their PKGBUILD. The level of oversight and verification is just a bit too low to recommend it to an average user, without a lot of caution. You’ve mentioned some alternatives that fall on different points along the spectrum of delivering software. Something like flatpak is a much more reliable tool in the hands of someone who just wants a GUI app and not think about how it gets to their desktop. For everything else that isn’t part of your distros repositories, there’s really not a good noob-friendly solution that doesn’t carry a big potential risk. Most distros have third-party repositories that use the same underlying tools to deliver software, but are less strict about QA and stuff. This is kind of a bad fit for rolling release distros in my opinion and is probably one of the reasons the AUR is so hands-off and DIY oriented.
There’s probably a better way to handle this, but I don’t think it’s an easy thing to solve (especially for the rolling release model) and the AUR isn’t really appropriate for mass-consumption by average users. Also, there will always be a certain point beyond which you’re on your own, it’s just not feasible to have reliable, safe, distro-agnostic packaging for every piece of software out there.
Eh. I haven’t had issues for a few months and I back up my files on a weekly basis and -Syu once or twice a month. Worst case scenario, I’ll just reinstall and restore from backup.
Also, I mainly use Discover for high level stuff like browsers and IDEs.
As a Debian slut this level of sweating over updates is wild to me.
Yeah but imagine reading about a new release of something and it appearing in your updates the same day. Shiny new software every day is addicting.
On the flip side, reading about an exploited vulnerability in a package and then realizing your machine isn’t affected because Debian has an outdated package in it’s repo
You’re not wrong. That said my broke ass can’t afford cutting edge hardware so most of the time it doesn’t matter.
When it does, I can usually compensate with either a NixOs profile install, a container of some sort (or Flatpak), or just building the emefferr from source.
IMO it’s overblown. If you even have an issue at all, 99.99% of the time it’s user error. And to mitigate that, you just use timeshift with BTRFS and snapshots on GRUB.
You can use it for Flatpaks which works great for a lot of people.
Flatpak just working would be a nice thing. Everytime I try they fuck something new up…
(Last time I thought about installing Steam via Flatpak on Arch to get rid of all the multilib 32bit stuff not needed for aynthing else anymore it worked for nearly 4 days. Then
flatpak updaterandomly uninstalled its nvidia drivers because an “update” removing the old package first, then realizing it can’t find the new one make total sense of course.)Couldn’t for the life of me get the PCSX2 Flatpak version to use GPU acceleration even with Flatseal so I try to avoid flatpaks now lol.
If I learned anything with Steam it’s to never install it as a Flatpak.
Yeah, I heard that several times but decided to try it anyway.
But I expected problems with Steam not with flatpak itself just removing the very same graphics driver it had just installed as a dependency…