Guide To Arch Linux User Repository Safety

I use the AUR and a aur helper, been very lucky so far

the only problem i have ever had on the aur is an application that hasnt been updated in a long time and just doesnt do anything. nothing has ever broken my system

the AUR is 100% safe, no problem what so ever, just as safe as android's store :D ..... I use Arch BTW

Thank you for this vid Brodie, starting to test Manjaro and saw a few things missing. Now I know a little more about what to watch out for

Yes, I like this video! 👍 Thanks!

Personally, I have no idea why I watched this video. I mean I basically do the same thing with npm packages, so I guess I agree with you magic arch man.

I see many people stating that they barely use the AUR and I simply don't trust them. There's basically no benefit to Arch when we discard the AUR. There are plenty of up-to-date distros like Fedora that would get the job done better than AUR-less Arch

I use AUR as a Manjaro (GASP!!!) Unstable user.
I'm watching this, 'cause it was in my feed :P

I have no idea why I am watching this video - subscribed.

As someone who avoids using the AUR unless absolutely necessary, I think you may be overestimating how many arch users bother with the AUR and especially how many chose arch because of it.

Sweet, so to slip a keylogger into the AUR, I need to make sure the download URL, developer name, and install script check out. I'll assume nobody will bother to read the source if it's ugly enough.
Not that this isn't good advice - it's just a shame that I can't use my expensive sliver of magical melted sand to comprehend and manage what the package can or can't do. Like, we need a lavamoat for system packages.

just use nixpkgs bro

I have a few aur packages and I host the code on my own server. I have no idea if anybody has actually read the code to see if it's actually not malware.

Do You Wanna my Sincere Opinion? Arch Linux Sucks..its just a "Linux Mint Slackware For Hipsters",this distro is for Masochists thats wanna be cool,but never will be cool....The Real World Linux distros are 100% muche Better....

Eyy you are

Great tutorial on how to critically think about what you are installing.

heres how i keep myself safe when using the AUR. 1. Clone the AUR repo. 2. edit and modify PKGBUILD and get rid of libsystemd,systemd dependencies, 3. then install with makepkg -si. Systemd for most if not all of the packages are just garbage and basically unnecessary for package functionality.

Good basic instructional video Brodie. IMO, too much AUR will eventually break something on a newby setup. Always best to stick to the pacman repo as much as possible. When not possible, the AUR kicks butt and makes life quick and easy.

What kind of tea do u drink bro? im sipping on some chocolate mint right now but in the mornings i do love me some earl grey or english breakfast :)

Now i want to learn the same about flatpaks and snaps.

What is your paru config? The review screen with the file tree looks pretty cool

Now WHAT I DO WITH 1000s of PACAGES i installed from aur with out looking at anything.... :(

Well I am an AUR helper user... Even on my arch homeserver I now use an AUR helper.
Just doing the updates and making sure the zfs scripts like sanoid stays up to date is reason enough for me.
So my tactic on the AUR and the mess you can get, is that I try to use it as sparingly as possible... But the ZFS snapshots stuff just became super needed to avoid data paranoia so...

so for every package you want to install from the aur, you should audit the package build script? sounds like a bit of a hassle.

is there any kind of reputation or rating system for aur package authors? or is that too easy to game with bots?

Not to heavily actually, most of the packages are actually from the main repo or chaotic-aur

i want to see cli tools for installing aur pkgs doing more of these checks automatically. because when you really work it out, a lot of the stuff you are manually checking here in this video... it could be given output to flag and inform the user. kindda like a linting process. for example if the src repo url is not an identified domain or self hosted that could print out a notification line in a shade of yellow. to prompt the user to manually check. or if the github repo is a fork. or if the github username does not match the aur username. then how many comments. and can automatically score those aur comments with sentiment analysis tool. and the upvotes. and then if flagged for deletion that could be printed in red color. all so many of these checks can and should be automated. with verbosity levels as to how much details to print. and user settings to decide how paranoid you want to be.

another feedback on cli can be to tell the user if the package maintainer is not using or has not enabled 2fa. since this is also another good extra security measure. to stop insecure aur accounts from getting hijacked. the same thing should in fact also extend to the repo accounts of the src on github or gitlab. we need reporting that those upstream accounts where we are actually fetching the software from... the end user must also be told whether those developer accounts are being secured properly by 2fa. so that (again) the person downloading can decide and the ability to choose what their own local security policy is they want to follow. this is especially important for open repos like aur. were anybody out there can submit software and packages

I am a fedora user, and I feel it's kind of, unnecessary? But hey good luck

I like using pamac as my AUR helper because I like how it DDoSes the AUR.

review launches lf? do share this.

When you install on paru you don't need the -S

I like to listen to the high-pitched voice of this boy 😅😅😅

I dont know what should i choose? An binary AUR packages ungoogled chromium i.e ungoogled-chromium-bin OR a repo from Opensuse special for Arch Linux. Github page from both sources are the same.

Back when I was using Debian, I wrote a utility in bash to look for packages using fzf (script <part of package name> ==> fzf to find the right package ==> install)

Nowadays I use a package called parui that works almost the same way (no fzf ☹️) and it's pretty great

It is dependent on paru afaik so keep that in mind

I unfortunately live in an area where we’re not taught about safety devices and safe “browsing”. My parents were uneducated about modern safe browsing methods and so I had to explore the aur for myself and make my own mistakes and deal with infections I was unprepared for.

Thanks for posting this Brodie I couldn’t resist the euphemisms.


/s

I recently spent some time learning how to use steamtinkerlaunch & ended up needing to use the AUR to install it bc all the other options were WAY too involved for me, & I wondered about this kind of thing at the time! These are great tips; I think they'll be easy to remember and probably make me feel a little bit less like I could be playing with forces I don't understand, lol.

If installing random software is wrong, watching random YT videos (like this one) must be wrong too. 🤔
I need to rethink my entire internet usage.

The thing I don't like about aur is that some people put there their work and you are unable to install it because it asks for password. Why is it then there?

github cody_learner aurch

virgin check install script vs chad test build installer

No thanks, i prefer [testing] [chaotic-aur].

I would love to see the same mentality toward vim plugins. It seems like a lot of people got the memo on AUR packages, but not yet for vim plugins. Nobody reads the diffs :)