At this point, should newbies just stick to pacman + flatpak and avoid AUR?

Peter77 · August 1, 2025, 7:30pm

Because I saw this today:

https://www.reddit.com/r/archlinux/comments/1me632m/is_this_another_aur_infect_package/

And you read further in the comments someone spotted another malicious upload to the AUR

This is not the first time it’s been reported in the subreddits.

dalto · August 1, 2025, 7:38pm

This is at least the 4th topic on these packages but I don’t think you need to avoid the AUR at all. You just need to use it properly.

Be sure to review the package before installing/updating. AUR helpers make reviewing the changes very easy and integrate it into the package install/update process.

Because the AUR makes everything fully transparent, it is, arguably, the safest community-owned repo around.

drunkenvicar · August 1, 2025, 7:39pm

what did reddit say non-newbies should do?

cscs · August 1, 2025, 7:51pm

Its not the first time theres been something bad in the AUR.

And its not only new packages either - we had scenarios in the past of existing packages being picked up by a malicious maintainer.

Read. The. PKGBUILDs.

If you cannot or will not then its not very different from going to random websites and downloading .exes and hoping for the best.

Indeed if one cannot rely on some source for inspecting the PKGBUILD (whether that be a partner, friend, or yourself) then it might be prudent to avoid software sources that do not have some implicit web of trust. Like only using those found in the repositories.

moxdrox · August 1, 2025, 7:58pm

I have no idea of pkgbuilds. Not sure if i see strange things at all…

drunkenvicar · August 1, 2025, 9:33pm

I understand :).

It has to do with patterns, verbosity, unusual things—was more versed on how to read those things a year ago. it didn’t stick..

space_metal_fantasy · August 1, 2025, 9:54pm

Not at all. I’ve been on endeavour for less than a year and came to it with no prior linux experience (zero programming experience too) and it wasn’t difficult for me to understand the risks of the aur and how to read pkgbuilds. If I saw some syntax or a script in a pkgbuild that I didn’t understand, I looked it up to understand what it’s doing.

Cphusion · August 1, 2025, 10:00pm

Newbies should stick to Ubuntu and Snaps Just kidding

The thing is a lot of new to Arch users don’t know how to properly use the AUR and even if they look at the PKGBUILD review I’m not sure a newbie will know what to look for. So they would either need someone to explain it to them or they need to read about it in the Archwiki.

UncleSpellbinder · August 2, 2025, 4:58am

Thats_A_Fact1

moxdrox · August 2, 2025, 6:28am

I will keep an eye on that in the future.

eznix · August 2, 2025, 6:37am

At this point, should newbies just stick to pacman + flatpak and avoid AUR?

No. Education and due diligence is all that is required.

Schlaefer · August 2, 2025, 7:47am

Even in that case at least go to https://aur.archlinux.org/packages and check the package

What are the votes/popularity?
How long is the package in the AUR?
How long is the submitter registered?

Use common sense™, but be aware that the recent malware packages got 5+ fake upvotes too.

Best solution: Ask someone else/here.

MyNameIsRichard · August 2, 2025, 8:04am

Yeah, because there has never been malicious software in the snap store /s

Cphusion · August 2, 2025, 8:33am

That was the joke.

Moonbase59 · August 2, 2025, 8:57am

I’d still use the AUR, but with more caution.

I typically advise (opinionated but with good results):

Set config flags for yay or paru to let you show/edit the PKGBUILD (if you use an AUR helper at all).
Try pacman first.
If using an AUR helper instead, at least prefer the packages from the official repos.
Check the AUR page and the PKGBUILD. If you’re unsure, ask someone knowledgeable. NOT YouTube or random forums.
Avoid Flatpaks (usually don’t even install support for them). There might be a few exceptions.
Avoid Snaps like the devil. Never even install suppport for them.
Since we get almost everything from the repos (and AUR), there should seldom be the need for an AppImage. There might be a few exceptions, same precautions apply.

Cphusion · August 2, 2025, 9:08am

In some cases I prefer using a verified Flatpak over an AUR PKGBUILD because some Flatpaks seem to be better maintained. One example of this is Plex-desktop, the PKGBUILD has broken more times for me over the years so now days I jus stick to the Flatpak. In other cases Flatpaks are actually the first recommended way to use their application so sometimes I then decide to use that instead of the AUR PKGBUILD. It kind of depends for me per application and how much I actually use that application and what it does.

Moonbase59 · August 2, 2025, 9:18am

Yup, there surely are exceptions, and sometimes the repo or AUR packages are outdated or not well maintained. Or you really need a new feature that hasn’t yet “trickled down” into the repos or the AUR.

I just advise against “blindly” preferring Flatpak over everything else, since a) they’re huge, and b) sometimes can’t interact with the rest of the system as well as a native package.

Cphusion · August 2, 2025, 9:21am

For some packages I don’t care if they interact well with the rest of the system. For example since I’m already using Plex-desktop as a Flatpak, I’m also using the Jellyfin Flatpak since I don’t use them much, but when it comes to a chat application like ZapZap I prefer to use one that is installed natively so I use the AUR PKGBUILD for that.

MichelN · August 2, 2025, 9:29am

Do I have to check every package that gets updated ? That is so time consuming.

MyNameIsRichard · August 2, 2025, 9:31am

If it’s from the AUR, it’s good practice to at least go over the diffs. Takes about a minute for the few I have installed.