So, in light of the whole Arch AUR mess, I’m trying to clean out underused/unused AUR applications. I’ve already removed Chaotic AUR and Chaotic AUR-specific installs (such as the CachyOS kernel).
─❯ paclist chaotic-aur
error: repository "chaotic-aur" was not found.
─❯
Now, I need to decide how to handle AUR apps I regularly use: Appimage or Flatpak. Some, I’d prefer to stay as-is. And, believe it or not, I’ve removed 12 applications I rarely use or installed to test and forgot about.
Some of the packages listed I’m sure are dependencies for other applications, so I don’t want to mess anything up. Example: dwarfs-bin is a dependency for Gear Lever.
I think its a good idea to clean out unused packages from time to time. I wouldn’t just go replacing apps with other versions that will also eventually be compromised as more and more bad actors infuse with A.I. All package formats are subject to malicious attacks. The best thing to do is to use only those apps you need and to make sure to check for suspicious activity of apps before using them.
I’ll share what I did. All the ones that I could get as verified flatpaks I installed from Flathub, which were Teams, ZapZap, ProtonPlus, AdwSteamGTK and Jellyfin Desktop. For LM Studio there isn’t one but there’s an official appimage, so I got it there and created a desktop file for it. For Heroic I download the tarball from their Github repo which containers a binary and also create a desktop file for. For Noctalia I cloned their Github repo and and I just pull to checke for updates and then rebuild the sources since I can’t live without Noctalia and my Niri setup.
There was some stuff I had installed form the AUR which I didn’t find important enough so I got rid of it: apparmor.d-git(also removed appormor), linux-cachyos, downgrade, coolercontrol, coolercontrold, ytmdesktop-git and ventoy-bin. For ytmdesktop I am now using a Chromium webapp and if I need Ventoy again I can just get it from the source as well since they have Linux support.
So basically in short I got rid of anything I don’t find important enough or rarely use, verified flatpaks for apps that I can I get from Flathub with except something like a game launcher as that gives less performance. Then for the other things that I can’t get verified flatpaks for straight from the source. Now I have no need for the AUR.
Well I tried two steam games and didn’t notice any effect after removal, but your mileage may vary. I posted (if you saw) a thread with uncertainty today too.
If I didn’t pass 3 AUR tests with flying colors I might be considering this, too. Could you imagine running librewolf with a flatpak though? I can’t either .
When the AUR comes to resemble Full Metal Jacket then it’s time to go..
..I think your idea to haul out the old/unused is a good one.
It’s a great question and possibly a matter of gut instinct or stupid phobias which may be the same thing. I mean the guy/girl that maintains the -bin version is on top of updating and rebuilds all the time. They are not slack. It feels right and performs right. I don’t know if I could translate the comfortability to the flatpak.
For that reason I would describe Ungoogled this way too.
Except I stopped using it when I found Trivalent in the AUR. That is my Chrome right now.
Mullvad Browser is so stripped down and locked down the experiences (AUR/Flatpak) are identical.
Conversely the AUR epsonscan2 can never see my scanner but the flatpak can so now we are talking functionality and not just preference. Had problems with AUR Zoom as well, so flatpak is fine.
For me, the thing I wanted to do the most was remove npm. Since this killed my neovim setup (plugins), I switched back to code. Not ideal, but it’s one less thing to worry about.
Well, I was about to open a thread to figure out what to do.
I have several AUR packages on EOS and Arch, but so far I haven’t noticed any strange behavior.
But I’d like to know how to check whether the AUR packages I have are “healthy” or contain malicious code. I don’t have the skills to figure that out, though.
I’d like to know what to do, given recent events. Luckily, on the PC where I have EOS and Arch, I also have Debian 13, so the PC would still be operational (excluding the old desktop PC and the mini PC), and I could use Debian 13 if I wanted.
I’d be annoyed at having to reinstall Arch and EOS, or at least reinstall just one of them after deleting both OSes, to ensure a clean installation. While it might be the quickest route, it’s not necessarily the most convenient.
there’s a cachy test I used in that thread ^ and a github one. (I found a 3rd AUR check on my own)
Me either. I had to give some things permissions and read directions 5 times til I could make it work and just to see the NOT INFECTED felt good. Good luck.
[sermor@archlinux ~]$ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (1741 total)...
Clean: None of the known infected packages were installed within 2 days of the campaign.
I’m infection-free on Arch. I’ll check on EOS too.
.