alt Hacker NewsThere's always been this security theater of people recommending arch because they "don't trust the companies" or Canonical or what have you but frankly I'm surprised this hasn't happened sooner. Well or maybe it has and we don't know.
Running random binaries on your computer uploaded by some anonymous dude has to be the equivalent of buying heart medicine on craigslist. And because Arch is so barebones to begin with the AUR is very popular, you see a lot of arch users using it.
Replies
How exactly is Arch barebones? It basically ships with everything I need, more than most distros (Zed and Discord are good examples). I don't even need to use the AUR.
Arch bugfix time is usually within 24 hours.
Not a single enterprise distro even reacts within that timeframe. OVAL advisories are weeks, sometimes months later.
As long as you don't have a virtualization approach similar to QubesOS, any linux distro will not fix this problem. Because that's not how separation of concerns works in the POSIX system. You need to have separate users for each and every program to isolate them, and that is practically unfeasible.
I agree, it's much better in Ubuntu land where you simply won't have the software at all, will shrug your shoulders and go on with your life.
AUR helpers make reviewing changes to AUR packages a trivial matter that takes about 2 minutes of my life per month. In exchange I get easy access to software that isn't packaged for Ubuntu and probably never will be, because building debs and going through the process of upstreaming them is roughly comparable to getting a PhD (if anyone is even interested in your debs, which they probably won't be).