Obviously installing anything from AUR must be done cautiously and there have always been sketchy (as in improperly built/packaged) packages in the past but seeing actively malicious injections is concerning. I think there are two main problems with AUR: 1. it is a remnant of a slightly more egalitarian era in the open source history when you could generally trust 3rd party code and 2. orphaned packages can be adopted by anyone with their full history and vetting intact.
I think we are well past (1) but (2) could be mitigated by tighter controls on AUR accounts and potentially additional safeguards from AUR helpers. Maybe show a big scary warning if the package has changed owners recently. I know there will still be people that will "y" their way forward but it's better than nothing.
Or just avoid AUR helpers altogether and inspect/build the packages you need yourself from their PKGBUILDs directly.
> Or just avoid AUR helpers altogether and inspect/build the packages you need yourself from their PKGBUILDs directly.
The AUR helpers actually make it easier to integrate the review step into your workflow IMO; they actively prompt to review and let you know when a change is present since you last accepted the risk.
But "AUR considered harmful" is not a novel take. Everybody using it should understand the risk here, it's really just one step removed from curl/bash'ing something you found on StackOverflow.
There was never an era in which #2 was a reasonable policy.
The canonical answer to any concerns with the AUR is always “just read the PKGBUILDs bro”
For every single update, for all your AUR packages, all the time.
You know that thing where if you make a security review feature obnoxious, after some time people will just accept everything without even looking? Yeah...
> For every single update, for all your AUR packages, all the time.
Yes, that's what I used to do when I ran Arch. It's usually easy. The PKGBUILD is usually small to begin with and the difference for a new version should normally be something like the URL and the version number and not much else, so you can just diff it against the old version.
I do it too, but I can see why this can be a problem for users. There should be an "official" scan for potentially malicious changes. I use a third party AUR scanner to help me with this.
What third party scanner do you use?
https://github.com/Sohimaster/traur
paru presents all pkgbuild diffs to you before installing, that's what I use to read them.
I usually only use AUR to install trusted pre-compiled binary packages, the scripts are very simple and the only thing that should ever change is the url and the sha256
Yea, paru makes it really easy, i noticed the diffs are a little easier/different versus yay. Not sure though if it's a config setting, haven't figured out the details yet.
Also paru shows you coloured code syntax if you have `bat` installed, i think.
You are thinking of the alarm fatigue[1], but it doesn't apply here -- there are no constant alerts warning that you are doing something dangerous to the point you get desensitized and start to ignore them. The correct analogy here are checklists -- things that you need to check if you are to do this "dangerous" activity (AUR usage), akin to pre-flight checklist.
[1] https://en.wikipedia.org/wiki/Alarm_fatigue
Oh yeah, that's the name of it. But I guess something similar happens with checklists, you do it so many times without anything bad ever appearing that you start to subconsciously assume nothing will ever happen. Why check the rotor of my helicopter when nothing ever happened to it for 5 years? This checklist is a waste of time!
That one's survivorship bias I think.