What do you all think of AUR

I know what i think of it and will share it here ,but first i would like to know what you all think of it, is it good or bad or is it crazy that anyone can upload packages that could contain malware and stuff like that ?

1 Like

Somehere between bad and crazy.
It is not only happening in AUR.
The languages Python and Julia allow anyone to upload software into libraries, with minimal supervision.

I like the idea of anyone being able to contribute. That is part of the ethos of free software. The problem is the lack of management.

Anything that can download into your OS without checking needs to be a trusted source. Arch need to improve the supervision of AUR.

With other less trusted sources like downloaded tarballs or Github, at least the user can see what is downloaded and check it themselves.. You can virus scan a tarball and unpack it and look at any scripts before using them to install. You cant do that with AUR … it masquerades as a trusted source, and it is not trustworthy.

My solution … I use any Arch based distro without AUR. If I need some piece of software that is in AUR, I get it in some other distro … Debian usually has everything and it is trusted.

I cant escape the open libraries in Python and Julia. … I use R instead. The R CRAN package system is rigorously managed. Not sure where Rust stands in this regard.? If you want safe libraries, use C.

… I checked … the Rust Cargo package manager allows users to upload contributions, in the same way as Julia and Python.
This is crazy … they should not be using Rust in the kernel.

Julia and Python ( and apparently Rust) are reasonably safe because they have some automated checking software. I have no idea what AUI does to screen contributions? Apparently is is not working well enough, given recent news.
There are some AUR details here

2 Likes

I use cachyos which is arch based and dont use aur just the thought of that anyone can upload packages with god knows whats inside them tells me not to trust it, and Linux is much about security but the idea to let anyone upload anything is in my book completely crazy, and i do understand that to check every package is Time-consuming but something must be done about this.

2 Likes

Sounds like the Arch distro is very customizable. Also sounds like the AUR is totally unfiltered. By the way, I’d never use Arch.

3 Likes

I have cachyos kde plasma and its very customizable both the desktop and kernels can be customized and im sure a lot more, Yes AUR is Unfiltered its in my opinion crazy,but i do hope that it will change for the better now after all malware there have been.

1 Like

Another reason for me to never install Arch or anything Arch related.

Void has the xbps-source tree, is that just as terrible?

2 Likes

Just becouse someone use arch based distros dosent mean they have to use AUR

1 Like

No, that is well managed, like Gentoo.
It is the quality and commitment of the people managing a distro that matters.
Distros will always need human intervention.
The impression I get is that Arch is understaffed, so they focus on their official repo, which is good but small. AUR needs more human attention.

2 Likes

Agree with you Neville

2 Likes

if you are looking for an analysis of the reportedly top 6 distros then this How to Geek article may help you decide

6 distros that prove Linux is the future of desktop PCs ?

2 Likes

? And what does that have anything to do with AUR ?

1 Like

It is heavily weighted towards gaming distros.
There are another 200 or more distros that contribute something too.

Yes it is off-topic … we tolerate that . The chat that occurs after a topic is settled is unique to this forum, and helps to make the forum friendly and entertaining.

3 Likes

of course we can get off topic I do all the time :slight_smile: i was just asking

2 Likes

The problem with it, is it is open to all and sundry. Chaotic AUR however isn’t. Arch has not got everything in their repos, which is why the AUR was invented, but now of course with the rise of people coming over to Linux and going potentially to Arch, because of the interest of gaming on Linux and the one Distro everyone goes to is Cachy OS Plasma version. Me I went with Xfce, but now have gone to Kiro Xfce for gaming on. In the AUR you can get nearly everything, but in my view some of those packages, if not all should be in the main repos. Take menulibre for instance…

The only way you can install it, is either through the AUR or if you’re savvy enough I think you can get it from Chaotic AUR? For those who don’t know what Chaotic AUR is, it is like the AUR, but the packages have already been built and tested, rather than risking installation failure with the normal AUR, I prefer Chaotic AUR, as it is safer, especially now with the malware found in nearly every package on the AUR. yay AUR Package installer has released a scanner embedded inside it, so it scans all the packages for malware, but I must stress as a user of Arch, don’t just rely on what it tells you, read the code and if you’re not sure, read the documentation about the malware attack, it provides info on what to look out for when reading the packages you’re trying to install.

They should really lock down the AUR now and just have trusted package maintainers running it instead. The AUR history was based on trust, but this malware attack must be making them think a bit more about not having it so open.

3 Likes

I do agree with you here they should look down AUR and only keep the trusted packages and put them in thier repos,and they should do better with thier package manager and have it more like ubuntu and popos there it is easy to see what you want to down load.

1 Like

While we are discussing AUR, what do people think of Ubuntu’s PPA?
I feel it is just as bad, but not is not used much because Ubuntu’s repo has most things.

2 Likes

I hardly know what it is haven’t hade Ubuntu that long when i tried it. the only thing i know is that people dont like ubuntus snap i think its called

2 Likes

Is Ubuntus PPA as bad as AUR that anyone can upload packages ?

1 Like

Not sure how much supervision Ubuntu do of PPA.
Lets say it is less trustworthy than packages from the official repo … but we are not sure how much less.

2 Likes

Don’t use it,it is too dangerous!

I only us official repo’s!

3 Likes