I would still note that this is not some kind of unique problem to Linux. There have been documented instances of malware making it to the Play Store, which is supposed to have a much more rigorous vetting process than AUR and costs actual money to publish on.
Just to expand... When the above user is comparing to Windows, who got most of the US government breached, I do think shade against AUR is uncalled for. Its just a community host for packages, comes with warnings, and isn't enabled by default, etc.
I can still happily upgrade via pacman without fear. Haven't been able to update on Windows without concern for over a decade - the malware comes builtin.
I only have 4 packages installed with AUR and I think that’s the intention. You’re only going there when the other solutions aren’t available or don’t make sense.
Linux users used to say "Linux is secure and doesn't get viruses". Now the best thing we can say about it is "Linux gets viruses just like the Play Store". Sad if you ask me.
I think anyone who has made that claim was probably trying to be smug or didn’t actually understand security concepts, and was never correct to be making that claim.
Only Apple has made that claim in their marketing and that was 20 years ago when security by obscurity was shielding them, and when Windows XP was such a cesspool that anything with a normal amount of malware would look virus-free by comparison.
AUR got hit recently [0], by what looks like more work of TeamPCP and friends.
EDIT: Worth noting, Arch ain't hosted on AUR. That's the community side only.
[0] https://archlinux.org/news/active-aur-malicious-packages-inc...
I would still note that this is not some kind of unique problem to Linux. There have been documented instances of malware making it to the Play Store, which is supposed to have a much more rigorous vetting process than AUR and costs actual money to publish on.
Just to expand... When the above user is comparing to Windows, who got most of the US government breached, I do think shade against AUR is uncalled for. Its just a community host for packages, comes with warnings, and isn't enabled by default, etc.
I can still happily upgrade via pacman without fear. Haven't been able to update on Windows without concern for over a decade - the malware comes builtin.
[0] https://www.cisa.gov/sites/default/files/2024-03/CSRB%20Revi...
Exactly.
I only have 4 packages installed with AUR and I think that’s the intention. You’re only going there when the other solutions aren’t available or don’t make sense.
Linux users used to say "Linux is secure and doesn't get viruses". Now the best thing we can say about it is "Linux gets viruses just like the Play Store". Sad if you ask me.
I think anyone who has made that claim was probably trying to be smug or didn’t actually understand security concepts, and was never correct to be making that claim.
Only Apple has made that claim in their marketing and that was 20 years ago when security by obscurity was shielding them, and when Windows XP was such a cesspool that anything with a normal amount of malware would look virus-free by comparison.