this post was submitted on 22 Jun 2026
41 points (100.0% liked)

Linux

14189 readers
580 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] ZombieCyborgFromOuterSpace@piefed.ca 8 points 1 week ago (3 children)

Thank you for explaining the differences. I've had several heated arguments with several users on this community where they tried to compare the AUR with these other solutions you mentioned. There's a big difference between them. Namely regarding who controls the user repos. You explained the differences very well and I hope others understand better now just how AUR is dangerous and how this is negatively affecting the reputation of Arch and Linux in general with the wider public.

It really should be shut down for Arch's sake. If people want to provide a package with certain modifications, just let users get it off your git repo and build it themselves with the proper instructions. It's not that much safer, but just enough that it should prevent this kind of widespread problem.

[–] stuner@lemmy.world 13 points 1 week ago (1 children)

It really should be shut down for Arch’s sake.

I think it should really be split into two parts:

  1. The more widely used packages should be moved to an official repository with review procedures. Perhaps the (quality) requirements can be lower, but these must be reviewed by trusted people.
  2. The remaining packages should be moved to user namespaces, like the other user-package repos do. That will at least prevent (most) takeover attacks.

@jpv2390@discuss.tchncs.de just below your comment, quoted the Arch wiki on the original purpose of the AUR.

The AUR was created to organize and share new packages from the community and to help expedite popular packages’ inclusion into the extra repository.

Source

Thanks @jpv2390@discuss.tchncs.de

[–] supersquirrel@sopuli.xyz 4 points 1 week ago

annoying note - for the record I quoted this from the article, I didn't write this.

I agree with you though, that is the exact reason I quoted that section because it clarified things for me!

[–] jpv2390@discuss.tchncs.de 3 points 1 week ago

If people want to provide a package with certain modifications, just let users get it off your git repo and build it themselves with the proper instructions. It's not that much safer, but just enough that it should prevent this kind of widespread problem.

That's already the recommended path.

It really should be shut down for Arch's sake.

A long time ago I chose openSuSE over arch because of (among other) me being concerned with the lax use of the AUR by the community. One should just be somewhat mindful of what that thing is -- it is pretty much the equivalent of clicking links on the web to download software for Windows. I think it should be used for what it was supposed to be.

The AUR was created to organize and share new packages from the community and to help expedite popular packages' inclusion into the extra repository.

Maybe arch should adopt something akin to open build service and openqa to more quickly grow the extra repository which then can be monitored better?