logoalt Hacker News

homebrewerlast Friday at 11:13 PM1 replyview on HN

Why would it be? AUR is user generated content by definition, you're expected to read and understand every package before using it, which is repeated in documentation ad nauseam. They're very, very explicit about this and that you're on your own when using AUR.

All decent AUR helpers (which arch developers advise against using anyway) force you to read through the packaging script and confirm that you understand it and are fine with what's about to be executed.

It's no more of an issue than someone posting a malware script into e.g. the wiki. Much less obscure than malware in npm or anything like that.


Replies

akerl_last Friday at 11:24 PM

This feels like a non-sequitur.

Yes, the AUR is user-provided content. Yes, system administrators are responsible for being aware of what they’re installing. You can find many comments from me on this page discussing that.

An attacker being detected using an official service hosted by Archlinux for user-managed packages to push malware is still noteworthy.

show 1 reply