That is exactly why the AUR exists. To repackage that vendor's .deb into something Arch can safely manage. This makes Arch support to 3rd party apps almost unbeatable.

And you’re right: PPAs are not the same… in this regard they’re actually worse. AUR is at least in plain text and the documentation is clear: always check the PKGBUILD. When you add PPAs you’re blindly trusting a 3rd party repository and updating them with sudo.

You can’t burn the whole thing down just because, in your own words, “people are stupid”. They either read the documentation and follow the security policies, or they stick with Arch and Flathub. Or, they can simply choose a different distro. It’s that simple.

The thing is, I agree that AUR could have some sort of protection, such as a rate-limiting or a reputation system. But even as is, AUR is still an excellent feature that should definitely be maintained. And people, specially using Linux, definitely should educate themselves instead of exclusively rely on strangers for all their digital security.

Edited for extra clarification.

[–] ZombieCyborgFromOuterSpace@lemmy.ca -2 points 2 days ago (2 children)

You completely missed the point.

Debian or Fedora don't need an AUR because vendors provide the packages themselves. And you know where they're coming from. You have the largest collection of software packages available, plus the 3rd party official packages available to download.

As for the PPAs, they're often provided by the software distributor themselves. Like Proton, or Wine. Most of the time you know who's providing the PPA. Ubuntu also keeps a close watch over these and will act if a malicious PPA is found. It won't take a lot of time before the PPA is taken down to prevent the spread. So it's relatively safer than a free for all repo where everybody is contributing and unmaintained packages get taken over. So, no. PPAs are not more dangerous than AUR.___

[–] KssioAug@lemmy.dbzer0.com 2 points 2 days ago (1 children)

I didn't.

Saying that Debian and Fedora don't need an AUR because vendors provide packages, implying these distros are pratically immune to third-party malware is totally false. Fedora has COPR, openSUSE has OBS, and Ubuntu/Debian rely heavily on PPAs and random deb downloads from websites. See xz-utils: https://en.wikipedia.org/wiki/XZ_Utils_backdoor

Most FOSS developers do NOT have the time or infrastructure to package for every distro. They provide source code on GitHub. The AUR exists to translate that source (or a vendor's deb) into a native Arch package. Furthermore, downloading a random deb from a vendor's obscure website and installing it with dpkg (which runs pre-install scripts as root) is arguably less safe than a PKGBUILD that downloads the exact same binary from the vendor's official mirror, unpacks it, and lets you read exactly what it does before you run it.

Your conception of PPAs is riddled of misconceptions. Absolutely anyone can create a PPA. Canonical does not verify the identity of the uploader beyond email confirmation. Launchpad is flooded with unofficial, community-maintained PPAs that are no more "official" than an AUR maintainer.

Also, Ubuntu does NOT proactively audit the source code or binaries inside PPAs. They takes a PPA down after it has been reported and confirmed malicious, exactly the same as the Arch maintainers do with the AUR.

A PKGBUILD is a plain-text shell script. You can read the exact source URL, the compilation flags, and the install commands. A PPA provides a pre-compiled binary file. You have pretty much zero idea what is inside that binary. Blindly giving sudo access to a binary PPA is objectively more dangerous than auditing a 20-line bash script that compiles source code before running.

[–] ZombieCyborgFromOuterSpace@lemmy.ca -2 points 2 days ago

There has been approximately 1000 infected packages in the AUR on Arch. And that's just in the latest incident, because that's not even the only incident.

Now tell me how many times this happened with PPAs? OR COPR or OBS?

Also, I'm very aware of the xz-utils exploit that happened last year. And do you know what distros were affected? Beta and testing versions of Fedora and Debian, which are not the most widely used versions of these distros. They are not meant for the public, but for developers and testers. However, the latest stable Arch was affected. Here's the source.

There's no comparison between this AUR even and the xz-utils backdoor problem that was resolved nearly immediately and hasn't happened again. Meanwhile the AUR keeps getting infected and, like I mentioned, there's been several occurrences of this.

Ubuntu relies on the community to be notified of problematic PPAs, and these are resolved swiftly. I cannot recall the last time there was an incident with a PPA because they are so rare. So, again, there is no comparison to make.

And who reads the PKGBUILD scripts??? Most users don't bother. And that's the problem.

I've been using Linux for 26 years and have even worked for a distro myself. Arch is a great Linux distro if you want to build a lean distro with bleeding edge shit. But, it's vulnerable to vulnerabilities due to it being too bleeding edge with little oversight and malware through the AUR. If you want to use this, then by all means, go ahead.

But my gripe is with this, and other communities, where people are pitching Arch or Arch-based distros to nearly everybody as the de-facto go-to, especially if you're into gaming. And I have a problem with that. I also have a problem with its users that will blindingly defend this distro and outright refuse to see the problems, like it's some kind of cult.