DISCLAIMER: Arch Linux is not a beginner friendly distribution, and this is not a recommendation or good practice.
I know how to use pacman -S. I have yet to experience a Discover related issue after months of use.
DISCLAIMER: Arch Linux is not a beginner friendly distribution, and this is not a recommendation or good practice.
I know how to use pacman -S. I have yet to experience a Discover related issue after months of use.
The AUR is a great resource but it’s also being sold as a package repository users don’t need to actively think about or understand. I honestly think malware is going to be much more common on the AUR if we aren’t careful.
I keep hearing this claim online but the Arch bible (which you really should be familiar with if you use Arch) and pretty much everyone that knows anything will tell you that the AUR is useful, but not something to blindly use. I recommend everyone check the
PKGBUILD, verify the source URLs are correct, and check the diffs when updating. It’s not that much effort.And since it comes from a single (user) package repository, you’ll probably have hundreds of people doing the same, or even going a step or two further and looking into the code, reporting the package if anything bad is going on. Still miles better than downloading
.exefiles you find from a Google search, even if you were lazy and didn’t do the aforementioned checks. (But if you don’t do that, you should probably just use Flatpaks or similar.)All official resources, Arch maintainers and high quality guides have been putting a ton of effort into teaching people how to use the AUR safely. That hasn’t stopped some people, even back before Arch got really popular, but you can’t reach everyone. Alternative package managers and pacman wrappers made the AUR a lot more accessible, which isn’t necessarily a bad thing, but there are good reasons for all the caution. Combine that with Arch increasing in popularity and getting picked up by all the shitty influencers and you get a lot of people ,who don’t know what they’re doing, installing everything from the AUR with their CLI/GUI of choice. Then you’ve got Arch derivatives making AUR packages easily accessible from the start, bad advice on places like reddit etc.
Long story short: it seems that over the years whenever I check in, users that barely know how it works are happily installing random shit from random people on the AUR because they saw it in a YT video or something.
That makes sense, but what’s the alternative here? Linux is freedom, so that means freedom to run / install anything you want, including malware if you’re not careful. Maybe if you discourage people from using the AUR, they will install it through other means, like a developer-provided Flatpak or AppImage. But if that’s not available or doesn’t work, then it’s nothing (= sad user), or you’re back to “Google, then download
an .exethe first thing you can run” or justcurl | sh. Is that better? (Assuming we’re still talking about the kind of people who would skip vetting what they install.)I mean, yeah that would be my solution. I get that the AUR is attractive, precisely because it has a low barrier for anyone to submit their PKGBUILD. The level of oversight and verification is just a bit too low to recommend it to an average user, without a lot of caution. You’ve mentioned some alternatives that fall on different points along the spectrum of delivering software. Something like flatpak is a much more reliable tool in the hands of someone who just wants a GUI app and not think about how it gets to their desktop. For everything else that isn’t part of your distros repositories, there’s really not a good noob-friendly solution that doesn’t carry a big potential risk. Most distros have third-party repositories that use the same underlying tools to deliver software, but are less strict about QA and stuff. This is kind of a bad fit for rolling release distros in my opinion and is probably one of the reasons the AUR is so hands-off and DIY oriented.
There’s probably a better way to handle this, but I don’t think it’s an easy thing to solve (especially for the rolling release model) and the AUR isn’t really appropriate for mass-consumption by average users. Also, there will always be a certain point beyond which you’re on your own, it’s just not feasible to have reliable, safe, distro-agnostic packaging for every piece of software out there.