Hilarious that it’s JavaScript again, truely npm, pypi and cargo are obvious targets. Also, guys, minimise your usage of the AUR! I don’t use any AUR packages.
Core > Extra > flathub >>>>>>>>>>>>> AUR
Not that core/extra/flathub can’t be pwned but it’s harder then the AUR.
Not the one you asked, but it’s a case of priorities:
If you want it to just work, then the AUR is probably the better pick. Don’t get me wrong, through; most flatpaks should (mostly) work like how you’d expect them to behave natively.
But, (Op)Sec-wise, the verified flatpaks win. No contest. Simply, because there’s no third party involved in the process. (And I haven’t even gone over flatpaks’ superior sandboxing.)
Minimizing AUR usage doesn’t necessarily mean not using it at all, but I would weigh those advantages carefully against the risk it brings. I would also recommend the people who don’t know what they are doing to not use it at all.
Hilarious that it’s JavaScript again, truely npm, pypi and cargo are obvious targets. Also, guys, minimise your usage of the AUR! I don’t use any AUR packages.
Core > Extra > flathub >>>>>>>>>>>>> AUR
Not that core/extra/flathub can’t be pwned but it’s harder then the AUR.
I’m interested why flathub > AUR? I try to minimize AUR usage but always assumed it’s better than flathub?
Not the one you asked, but it’s a case of priorities:
But mpv-git has some advantages… and edir, bat, rdo still not in the main repos.
Minimizing AUR usage doesn’t necessarily mean not using it at all, but I would weigh those advantages carefully against the risk it brings. I would also recommend the people who don’t know what they are doing to not use it at all.