AUR is community-maintained packages intentionally designed to shift security responsibility to users. Without pre-installation vetting, meaning anyone can submit anything on there, making it perfect for malware distribution.
Of course all code is visible for inspection, community voting exists, and malicious packages can be reported and removed which limit malicious action.
But now we have LLM that can generate (and distribute) malware and do pretty good code obfuscation so I am not convinced by this model. Honestly I never felt comfortable using AUR (so I avoid it) because I’m not technical enough to review all the code my machine runs.
But why? Arch isn’t a server distro and their users usually know how to keep their secrets save. A FUD campaign?
I kinda doubt that people who think AUR is a good idea are good at keeping their credentials secure.
Then you also think the whole bunch of source-based distros (LFS, Gentoo) is a bad idea?
AUR is community-maintained packages intentionally designed to shift security responsibility to users. Without pre-installation vetting, meaning anyone can submit anything on there, making it perfect for malware distribution.
Of course all code is visible for inspection, community voting exists, and malicious packages can be reported and removed which limit malicious action.
But now we have LLM that can generate (and distribute) malware and do pretty good code obfuscation so I am not convinced by this model. Honestly I never felt comfortable using AUR (so I avoid it) because I’m not technical enough to review all the code my machine runs.
No, I don’t think those share AURs glaring security problems.