AUR has never been a good idea. I don’t use it and this news proved me right.

But is Arch sufficiently complete without AUR packages? It is being criticized - and rightly so - that the magnificient Arch Wiki is full of references to AUR packages. That could in fact mislead new users.

I am an happy Arch user, since about ten years… But I use it differently. I am running Debian stable on the hardware, which has all the drivers I need (after getting rid of NVidia graphics, which was just a mistake to buy). I use Debian for my work / office / productivity system, to read email, and so on.

But for some stuff, I need newer software: For trying out new features or libraries (I am a developer). For testing out new window managers. Leisure programming. And so on. I use Arch for this. After a few years of dual booting (which caused occasional breakage), I settled on running Arch in a VM. Which works fine for me.

And the last shift I am experiencing is that I use more and more the Guix package manager. The reason for this is that when one tries out a lot of things, and does only system upgrades for many years (which means not doing a reinstall, but replacing the oldstable packages with the newer stable packages), the system becomes a bit untidy over time. Old packages, scripts, and configurations accumulate, and it is hard to get rid of it without breaking things, because one just cannot delete everything one does not remember what it was needed for. And there is so much stuff in software that, after all, turns out to be not such a good idea. Yes, a fresh OS install leaves a tidy system, but it would cost a few days. (By the way, accumulating cruft in the long term is also somewhat of an disadvantage of rolling release distros.)

Now, Guix solves that, because I have a temporary, deterministic environment for every programming project (just like a Python venv). And by this way, stuff does not contaminate the base system, and is garbage collected when it is not used any more.

And, Guix has quite recent packages, similar to Arch.

Now I use Arch less and less.

Minimizing the chance of malware being spread through their means.

Right. And there is another angle to that: It is far easier to turn an ecosystem into a breeding ground for malware, than to get rid of it again. Once a system has a reputation to be easily hackable, it attracts malware like spoiled meat attracts flies.

I kinda doubt that people who think AUR is a good idea are good at keeping their credentials secure.

AUR is still working as intended. It’s basically a public wiki of shell scripts, it was never intended to be secure in the first place. It has always been the user’s responsibility to review everything or avoid using it.

“Foreign hackers”

Foreign to who?

The article never said “foreign”, you made that up.

I remember the good ole days when nobody cared enough about Linux to spread malware to it. Sigh. All these techbros that need to j their d to their power trips, dystopian surveillance, and shitty AI companies have probably started this. I even noticed a Linux hate sub on Lemmy. Imagine there being enough people forced to use Linux to create a hate community where they favor Microslop. Such strange times we live in.

OP is not a bot

To be clear, -Qm displays installed packages not currently in the repositories. This will include AUR packages, but I avoid the AUR (except for davmail years ago) every once in a while I’ll run it just to check and sometimes it finds packages.

When you install things from the main repos the dependencies get installed too, and if those dependencies are no longer needed they’ll be removed from the repositories. (I also have a bad habit of forgetting --asdeps when installing optional dependencies.) Sometimes they’ll conflict with a new dependency and pacman will ask to remove and replace them, but other times the functionality has become a part of an existing package, so with no conflict to prompt removal they’ll just sit unused on your install. If you haven’t tried -Qm in a long while you’ll probably find a few harmless currently-unused packages that were installed through the normal repos. (-Qdt will cover the other cases where dependencies remain in the repos but are now only needed for packages you don’t have installed.)

Obviously -Qm will also show removed packages that aren’t dependencies, a few years back my preferred pdf viewer was removed from the repositories.

-Qm will also find manually installed packages that aren’t in the AUR if you ever do that.

You can then search the list of compromised packages.

Or just uninstall all AUR packages, instead of waiting for your ones to appear on that list, and having to re-install your full system to ensure its integrity.

I had more aur packages than I thought but none in the list. Is this just known ones and there could be more?

And don’t forget that a system compromise means you need to re-install all in order to re-gain control of your system. Without the malware of course.

Edit: I see downvotes… Some people don’t seem to understand why running malware permanently destroys a system’s integrity. I do not have more time today - can somebody explain for me why?

Here are some scripts that can help too

(Edit: apparently i need to say to read and understand what these scripts are doing before running them. If you don’t understand what you’re running then don’t run them) https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14