this post was submitted on 16 Jun 2023
13 points (100.0% liked)

Arch Linux

8041 readers
1 users here now

The beloved lightweight distro

founded 5 years ago
MODERATORS
[email protected]
13
AUR is cool... but scary (lemmy.sdf.org)
submitted 2 years ago by [email protected] to c/[email protected]
11 comments fedilink hide all child comments
 

Last night while updating my system, I noticed that a random aur package my system depends on was orphaned in the aur. It's some random deep-down dependency of another AUR package, and it's not received any upstream commits in a while. Nice and stable, just needed an owner. I decided to adopt the package before someone else did.

It was kinda scary how simple it is to adopt an orphaned package. Create AUR account... click an email link... Done. If someone wanted to squat the package for malicious purposes, it would be stupidly simple.

I get that this is a problem for all community repos, not just AUR (npm, anyone?), but it's still an unsettling prospect. I feel like it goes unacknowledged some times.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 2 years ago

It's pretty clearly stated on the front page of aur.archlinux.org: "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk."

Warnings about AUR packages being potentially dangerous have been around since the days of IRC. Scary, reason to take pause, but also not new.