this post was submitted on 16 Jun 2026
180 points (98.9% liked)

Linux

14018 readers
437 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
180
Arch Linux Blocks New AUR Registrations Amid Malware Cleanup (linuxiac.com)
submitted 3 days ago by cm0002@lemy.lol to c/linux@programming.dev
61 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] ZombieCyborgFromOuterSpace@lemmy.ca 0 points 3 days ago (23 children)

In control of installing malware?

I get what you mean, but people are stupid. There needs to be guardrails to prevent these things from happening. That's why the AUR is a bad idea and it should be shut down.

You want your software to be available for a distro? Go through the proper channels. Submit it for review and get it approved. If you stop maintaining it, they remove it. Plain and simple.

That's why you don't have this problem with other distros. Arch made it too easy to download and install unverified, untested, potentially malicious software through the AUR and now every idiot that thinks they know what they're doing are infecting their systems.

[–] kieron115@startrek.website 0 points 2 days ago (13 children)

Arch USER Repository. Use the official repositories if it's a concern.

[–] fruitcantfly@programming.dev 4 points 2 days ago* (last edited 2 days ago) (7 children)

AUR is not unique in being a user repository, but it seems somewhat unique in having basically zero oversight. Which is a bad idea for reasons that should be painfully obvious by now.

For comparison, Gentoo's GURU repository allows everyone to submit packages, but limits the ability to accept these submissions to a subset of trusted users

[–] kieron115@startrek.website 0 points 2 days ago* (last edited 2 days ago) (1 children)

GURU bills itself as an official repository that's user-maintained. AUR makes no claims of being official as far as I can see from their website.

[–] fruitcantfly@programming.dev 4 points 2 days ago (3 children)

The AUR domain is aur.archlinux.org and it is linked from the menu-bar on archlinux.org. If AUR is not official, then the Arch sure is sending mixed signals to its users

[–] ZombieCyborgFromOuterSpace@lemmy.ca 2 points 1 day ago

Absolutely 100%.

Not to mention it's in most of the solutions to every problem Arch users face.

[–] BB_C@programming.dev 0 points 1 day ago* (last edited 1 day ago)

It's officially centrally hosting the non-pre-moderated non-official user contributed build-scripts, where "user" means literally anyone.

I'm not sure what argument you're trying to "win", and to what end. Or why do you think anyone would care about the manufactured confusion you're trying to concoct.

[–] kieron115@startrek.website 0 points 1 day ago (1 children)

With a nice, big disclaimer.

[–] fruitcantfly@programming.dev 2 points 1 day ago* (last edited 1 day ago)

Which is not much different from the disclaimer about GURU, though GURU does a much better job at explaining the risks involved in using it:

Disclaimer

Please note that the GURU project is maintained and reviewed entirely by Gentoo users. It is only subject to minimal supervision from individual Gentoo developers, and is not supported by projects such as Gentoo Security. While our Trusted Contributors do their best to keep GURU safe, it is possible for it to contain vulnerable, badly broken or even malicious software. You are using it on your own responsibility.

load more comments (5 replies)
load more comments (10 replies)
load more comments (19 replies)