Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)
Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.
Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.
Maybe, just maybe, and nearly unmoderated repository where everybody can create packages, is not so secure after all? /s
And AUR is the reason I keep arch miles away from any of my systems.
Nobody ever says the AUR is safe. In fact they say specifically that it’s not; for exactly the reasons you mention.
That’s why it’s the Arch USER Repository. You take your fate in your own hands when you choose to use it.
As for your comment about using a distro that has everything in the main repo? How so? Every flavour has software that isn’t included in the main repos. For Arch based systems, that means either the AUR or Flatpaks. For Debian based systems, that means adding new repos to your sources, which is exactly as unsafe as the AUR in most cases, or using Flatpaks.
If you’ve ever added a repo on Ubuntu, than you’ve essentially used their version of an AUR. The end result is no different.
You do have the choice to simply not use the AUR. Has nothing to do with using Arch or not.
And no one has ever claimed the AUR to be safe.
yeah, it’s essentially, you want software that’s no the official repo go there.
True, I also have a choice to use a distro that delivers the software I need in the main repo.
Or you coukd just use Arch without installing an AUR helper?
And then, where get I 70% of my packages I need? For example a useful browser like brave? Yeah …
same way you get packages anywhere else
Anywhere else, I just need the package from the brave project or their repo. I trust the brave project, I do not trust the AUR for reasons.
There is an install script for linux front and center on the page (classic curl into sh). For other distros, they’re having you add their own repository and install from that. Just as sketchy.
It’s unwise to trust Brave, anyway.
Flatpak exists
https://flathub.org/en/apps/com.brave.Browser