Last night while updating my system, I noticed that a random aur package my system depends on was orphaned in the aur. It’s some random deep-down dependency of another AUR package, and it’s not received any upstream commits in a while. Nice and stable, just needed an owner. I decided to adopt the package before someone else did.

It was kinda scary how simple it is to adopt an orphaned package. Create AUR account… click an email link… Done. If someone wanted to squat the package for malicious purposes, it would be stupidly simple.

I get that this is a problem for all community repos, not just AUR (npm, anyone?), but it’s still an unsettling prospect. I feel like it goes unacknowledged some times.

  • 4ffy@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    This is the main reason that one should learn to read PKGBUILDs. Any AUR helper like Yay or Paru should give the option. Just make sure that the package downloads from an official source and contains only the necessary build and install instructions.

    But I agree. Some people treat the AUR as just another repository, when it most definitely is not.

  • TheCraiggers@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    It’s only scary if you think the AUR is inherently trustworthy. It’s not, and every piece of official documentation and various wikis make it abundantly clear it’s not. (If you see somewhere that doesn’t point it out or edit it so it does.)

    The AUR is barely better than pasting J Random Hacker’s ‘curl http://foo | sudo bash’ code you see somewhere to install something. And that’s only because at least the AUR makes it easier to inspect what’s about to run and what changed.

    • nomadjoanne@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Yup. If I want to install something “app-like” and it isn’t in the main repos I tend to go with the flatpak over the AUR for that reason.