this post was submitted on 15 Jun 2026
703 points (97.8% liked)

linuxmemes

31971 readers
423 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn, no politics, no trolling or ragebaiting.
  • Don't come looking for advice, this is not the right community.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
  • 5. ๐Ÿ‡ฌ๐Ÿ‡ง Language/ัะทั‹ะบ/Sprache
  • This is primarily an English-speaking community. ๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ‡บ๐Ÿ‡ธ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
  • 6. (NEW!) Regarding public figuresWe all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.
  • Keep discussions polite and free of disparagement.
  • We are never in possession of all of the facts. Defamatory comments will not be tolerated.
  • Discussions that get too heated will be locked and offending comments removed.
  • ย 

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 3 years ago
    MODERATORS
     
    top 50 comments
    sorted by: hot top controversial new old
    [โ€“] thagoat@lemmy.dbzer0.com 126 points 2 weeks ago (2 children)

    Never trust an NPM library

    [โ€“] redsand@infosec.pub 24 points 2 weeks ago (1 children)
    [โ€“] HeHoXa@lemmy.zip 17 points 2 weeks ago* (last edited 2 weeks ago)

    ... technical name for glory hole

    OR

    Your mom's a fuck node

    [โ€“] rozodru@piefed.world 12 points 2 weeks ago

    bu-but so many libraries need funding!

    [โ€“] DmMacniel@feddit.org 97 points 2 weeks ago* (last edited 2 weeks ago) (4 children)

    Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
    Linux Users: oh no I got malware by searching the AUR!

    [โ€“] panda_abyss@lemmy.ca 47 points 2 weeks ago (1 children)

    Donโ€™t worry, I found a package on npm to help!

    [โ€“] rtxn@lemmy.world 42 points 2 weeks ago* (last edited 2 weeks ago) (3 children)

    The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).

    But if it starts downloading anything from NPM... ^C and run.

    [โ€“] 30p87@feddit.org 22 points 2 weeks ago (9 children)

    The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo

    [โ€“] arschflugkoerper@feddit.org 8 points 2 weeks ago

    Ye my reaction to this was basically uninstalling yay to force me to do it manually

    load more comments (8 replies)
    load more comments (2 replies)
    [โ€“] 30p87@feddit.org 9 points 2 weeks ago

    By misusing the AUR and ignoring every warning telling you to read and understand the pkgbuild or don't do it.

    load more comments (1 replies)
    [โ€“] Crashumbc@lemmy.world 81 points 2 weeks ago (3 children)

    The more popular Linux becomes, the less true this will be.

    [โ€“] nsh@lemmy.nz 12 points 2 weeks ago

    Avoid success at all costs - Simon Peyton Jones

    [โ€“] placebo@lemmy.zip 10 points 2 weeks ago

    Tbf most major attacks we saw recently are cross-platform thanks to npm. AUR has always been a security risk.

    load more comments (1 replies)
    [โ€“] mintiefresh@piefed.ca 59 points 2 weeks ago

    btw, I use malware

    [โ€“] yesman@lemmy.world 54 points 2 weeks ago (2 children)

    Microslop is nervous now that Linux is popular enough to attack.

    [โ€“] CubitOom@infosec.pub 45 points 2 weeks ago (2 children)

    Linux has always been the bigger target. Even microslop uses linux for its severs.

    [โ€“] four@lemmy.zip 27 points 2 weeks ago (1 children)

    I'm gonna assume that their servers are not installing stuff from AUR though

    [โ€“] Goodlucksil@lemmy.dbzer0.com 13 points 2 weeks ago

    I would hope so too

    load more comments (1 replies)
    load more comments (1 replies)
    [โ€“] Bishma@discuss.tchncs.de 49 points 2 weeks ago* (last edited 2 weeks ago) (8 children)

    I don't use Arch, BTW. So the biggest NPM threat vector on my machine is still VSCode.

    load more comments (8 replies)
    [โ€“] istdaslol@feddit.org 43 points 2 weeks ago (1 children)

    Inverted security by obscurity

    [โ€“] ladicius@lemmy.world 18 points 2 weeks ago (1 children)
    [โ€“] squirrel@cake.kobel.fyi 9 points 2 weeks ago (1 children)
    [โ€“] spicehoarder@lemmy.zip 13 points 2 weeks ago

    Obituary by Sorcery

    [โ€“] CubitOom@infosec.pub 33 points 2 weeks ago* (last edited 2 weeks ago) (15 children)

    I avoid ~~orphaned~~ unmaintained packages and I wait a few days before I type yay

    [โ€“] fonix232@fedia.io 12 points 2 weeks ago

    You're no fun

    load more comments (14 replies)
    [โ€“] dingleberrylover@lemmy.world 29 points 2 weeks ago (3 children)

    I never had any issues on TempleOS.

    [โ€“] addie@feddit.uk 26 points 2 weeks ago (2 children)

    Zero remote exploits since it was released. That's what divinely-inspired coding looks like, everyone.

    [โ€“] Hypocrite9554@lemmy.world 11 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

    Out of curiosity, is that actually true? Surely our lord and saviour must have made a tiny slip-up

    Edit: Apparently TempleOS doesn't have networking

    [โ€“] Rooster326@programming.dev 11 points 2 weeks ago* (last edited 2 weeks ago)

    It is networked >!to Gฬทอ€ฬƒฬŽฬŒฬ—ฬ™อšฬฅอ“ฬผฬ ฬฉอ™oฬทฬฬ…อ„อŠฬŒอ€ฬอŒฬฝอˆฬญฬชฬฎฬอšฬจฬŸฬนฬญฬคอ‡อ•ฬชฬขdฬทฬ‚ฬฝฬ”ฬšฬพอ ฬ“ฬ‹อ˜ฬฎอ•อ‰ฬฅฬก!<

    load more comments (1 replies)
    [โ€“] oce@jlai.lu 8 points 2 weeks ago

    My OS is a temple. ๐Ÿง˜

    load more comments (1 replies)
    [โ€“] Honytawk@discuss.tchncs.de 25 points 2 weeks ago (1 children)

    And you believe that makes you safe?

    Shit like this is a blemish on the Linux community.

    load more comments (1 replies)
    [โ€“] Don_alForno@feddit.org 18 points 2 weeks ago

    Also, an ad blocker.

    [โ€“] OutOfBoundsJupiter@sh.itjust.works 18 points 2 weeks ago (6 children)

    ClamAV users, how's it going?

    load more comments (6 replies)
    [โ€“] ornery_chemist@mander.xyz 15 points 2 weeks ago (8 children)

    I was on arch as a vestige from my school days, having never quite found the time to switch to something more stable. When I saw the news over the weekend, I checked and found 1 would-be-infected package on my machine that was thankfully months out of date. I'm well past the point of wanting to examine PKGBUILDs every time (hence the out of date package). But, instead of just removing AUR packages and sticking to arch repos, I decided to sweep up the technical debt by wiping and installing Fedora. I'm liking it so far, minus the absolute pain in the ass that is Nvidia on Linux. Fuck academics and their insistence on writing everything targeting CUDA; otherwise, I'd have saved a good bit of money a few years ago with a much more compatible AMD card.

    load more comments (8 replies)
    [โ€“] HisAssholiness@lemmy.ml 14 points 2 weeks ago (1 children)

    Arch users just randomly dropping "I use Arch btw" everywhere, it was only a matter of time.

    load more comments (1 replies)
    [โ€“] Ghoelian@piefed.social 12 points 2 weeks ago (2 children)

    So what are good antivirus options for Linux? is it still pretty much just ClamAV?

    [โ€“] Johanno@lemmy.dbzer0.com 11 points 2 weeks ago (5 children)

    Our company uses eset https://www.eset.com/us/home/antivirus/

    But afaik it costs money to really work.

    But your brain should be the best antivirus you have.

    [โ€“] pressanykeynow@lemmy.world 22 points 2 weeks ago

    But your brain should be the best antivirus you have.

    Is there an AUR package for it? seems not in the official repo

    [โ€“] placebo@lemmy.zip 8 points 2 weeks ago* (last edited 2 weeks ago)

    But your brain should be the best antivirus you have.

    It's useful to use brain, but any security layer has holes which is why it's good to have several layers. Some attacks might be way beyond user's understanding or come from trusted sources.

    load more comments (3 replies)
    [โ€“] Ghoelian@piefed.social 9 points 2 weeks ago (6 children)

    one thread I found from 2 years ago where someone asked for the same thing, a lot of the replies are just "you don't need antivirus on Linux" lmao

    load more comments (6 replies)
    [โ€“] altphoto@lemmy.today 12 points 2 weeks ago

    With the old package managers safety was simple...trust the developers, user their packages. 10000 downloads? Easy! 1 download.... ๐Ÿค” Maybe skip for now.

    Now with executables like mac and Windows it's easier to sneak something in. You still rely on trust. But now you've got AI in the game mudding the waters.

    It was certainly a weekend.

    [โ€“] MasterNerd@lemmy.zip 11 points 2 weeks ago

    Yeah I'm pretty glad that I've been behind in upgrading my aur packages recently.

    [โ€“] gerryflap@feddit.nl 10 points 2 weeks ago (2 children)

    I learnt a lesson yeah. It looks like I got away, there's no rootkit, I found nothing weird running, I don't have npm Installed, and up until now it doesn't seem like the packages I had installed were compromised. But I had way more AUR packages installed than I was aware of. And I was just updating them without really caring about the pkgbuild, I have better things to do. Multiple packages were outdated crap that shouldn't have been there anymore.

    I was careless and took too much risk. I reduced the Installed AUR packages to a minimum, and from now on I will verify the PKGBUILDs on every update. Maybe Arch isn't really what I need. I'm on the LTS kernel and I no longer really use the AUR. But switching will be a huge hassle and this setup will work well from here on out, so I'll stick to it for now

    load more comments (2 replies)
    [โ€“] spicehoarder@lemmy.zip 9 points 2 weeks ago

    Everyone knows if you use Kali you're immune to malware

    [โ€“] Shanmugha@lemmy.world 8 points 2 weeks ago

    I am at "no fucking yays and the bunch, check the package create/update dates, read PKGBUILD, only update when necessary". Has served me well so far

    load more comments
    view more: next โ€บ