the AUR is mostly the same as downloading and running random exes on windows. you should avoid it, make it as manual as possible (forcing you to double check what's happening) and be able to review the installer/package or trust someone who can vouch for its safety

[–] Bananskal@nord.pub 3 points 2 days ago* (last edited 2 days ago) (2 children)

paru shows you the PKGBUILD diffs on upgrade, so you can review then and deny upgrades.

But realistically I am not going to go into the code itself on my installed packages to check for malware or other types of attacks. That's too time consuming for my risk level, and requires more knowledge than can be expected, to be honest.

Edit: but maybe you're talking about when first installing a package? Come to think of it, I'm not sure it shows the PKGBUILD at that point. 🤔

[–] nlgranger@lemmy.world 2 points 2 days ago (1 children)

It does, the diff shows the full files.

[–] Bananskal@nord.pub 1 points 1 day ago

Ah right, perfect. Thanks!

[–] iltg@sh.itjust.works 1 points 1 day ago (1 children)

the diff is noise in the potentially big update log. the point of doing it manually is forcing you to take your time and verify stuff one by one. also pkgbuild is just one place, seeing the hash changed means nothing if you don't check what that archive contains, or seeing the install steps don't change mean very little when the installer invokes other scripts anyway

i understand that you aren't going to vet the source itself, but at that point you are exposing yourself to this kind of malware without mitigation. the aur is unsafe by design (fast way to publish a package without any involvement from anyone else) and should be avoided whenever possible. im not an arch hater, i too run arch

[–] Bananskal@nord.pub 1 points 1 day ago

the diff is noise in the potentially big update log. the point of doing it manually is forcing you to take your time and verify stuff one by one.

I guess it depends on your discipline. If I'm already so inclined that I'd go to the lengths of forcing myself to check each package "manually", I'm also going to be so disciplined to check each diff when paru pauses the upgrade process for me to do so. It's the same thing for me.

also pkgbuild is just one place, seeing the hash changed means nothing if you don't check what that archive contains, or seeing the install steps don't change mean very little when the installer invokes other scripts anyway

Yup, and as I said, that's where I draw the line with my trust and my threat level. I don't have a lot of important data.

i understand that you aren't going to vet the source itself, but at that point you are exposing yourself to this kind of malware without mitigation. the aur is unsafe by design (fast way to publish a package without any involvement from anyone else) and should be avoided whenever possible. im not an arch hater, i too run arch

Yup, I'm aware of the risks I'm taking. 🙂 That's the important part to me. I really don't have time to vet sources with two small kids and a full-time job, and hobbies and exercise every week. It's impossible, and a sacrifice I'm willing and forced to make if I want some life balance. Quite a simple choice.