this post was submitted on 05 Aug 2024
455 points (94.0% liked)
Linux
48332 readers
819 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Any major Linux distribution has a system for building packages, it's not something special to Arch. In fact, Arch's great advantage of the aur repository actually becomes a disadvantage by introducing instability and insecurity into your system when you add programs from that repository. It's amazing that people criticize Windows security with .exe's and then install packages from external repositories with the security of "trust in the repository". How can you trust code with root access to the system just because it's in the aur repository? That's the main question I would ask Arch users.
It's a choice. We know that it's riskier to use stuff from AUR. Which is why it's highly recommended to read the PKGBUILD before installing the package. The basic Arch install doesn't even include an AUR helper. That said, AUR is typically very reliable for packages with a decent userbase. It's mostly due to the community aspect. Bad actors are caught relatively easily as the PKGBUILD is available to look at.
I have built packages for all the major ones. Non arch packages are a pain to build and I never want to do it again. In contrast arch PKGBUILDs are quite simple and straight forward.
Because you can view the source that builds the packages before building them. A quick check to not see any weird commands in the builds script and that it is going to an upstream repo is normally good enough. Though I bet most people work on the if others trust it then so do I mentality. Overall due to its relative popularity it is not a big target for threats when compared to things like NPM - which loads of people trust blindly as well and typically on vastly more important machines and servers.
As with almost every case of these sorts of comparisons, these are likely separate groups of people holding separate groups of opinions.
I don't use Arch anymore, but when I did I found that the AUR was really useful to quickly install niche applications that would take ages to be approved on to an official repository. Often those would be made by the application developers themselves or members of the community. I would personally vet the packaging script myself, but I'm sure many wouldn't - and that's fine. As with most software, there's some trust involved and often you assume that if you're installing from a reputable repository it's going to be fine. If people aren't vetting the installation scripts and are installing from random repositories, that's really their problem. I'm glad the possibility existed and it's the one thing I've missed in distros I've used since then.
Well there is far less malware on Linux tbf so comparison is not completely accurate. But same caution applies, try to vet and understand what you install. That part is also easier with the AUR as it's transparent in the packagebuild what it does unlike random exes with closed source. It's also a large community with many eyes on the code so unless it's a package with few users then it's gonna get caught pretty quickly.
That is, you admit that most aur users delegate that function to other eyes instead of auditing the external code they are installing. A user repository outside of the official distribution repository is not a secure means of installing packages on the system, which may have root access to the system and the source code may change with each package update. Do you think that every time there is an update to a package that is not widely used, others will audit the source code for you? For that reason I stopped using Aur and by extension Arch, as their software catalog outside of aur is small.
Your comparison was with random exes on the most targeted, malware infested operating system out there.
Many eyes are always better than no eyes. I'm not saying you shouldn't vet the code stop misinterpreting but no one knows or catches everything by themselves. That's why security needs transparency. If it's as insecure as you're saying we would have way bigger problems but we don't. AUR is not as safe as the Arch repository sure, but definitely safer than installing random exes on Windows. It's a flawed comparison you're making.
If you're paranoid you should be on an immutable distro cause xz backdoor was in some official repos. Repo maintainers do not catch everything either it was just a mere coincidence someone caught it(again thanks to transparency & many eyes on code) before mass deployment. Installing anything with root access is a risk. Going online is a risk. But there are ways to mitigate risk. Some security you're always gonna have to trade for convenience.
That's a common misconception. Linux is the most popular OS for servers. There are a lot of malware for Linux, probably even more than for Windows.
I think you're missing the context. We're not talking servers here but desktops. Arch is typically used on desktop systems. The threats that face desktops and servers are not the same. Same goes for risk and potential damage. Also please provide a source if you're trying to debunk "common misconception".
Not sure if sarcasm or actual disinformation. You're not supposed to trust the aur, that's kinda the whole point of it. The build scripts are transparent enough to allow users to manage their own risk, and at no point does building a package require root access.