Do the maintainers of the Arch Linux repo check if the application does not invade user's privacy?

unix_lover · February 7, 2020, 2:35am

I am curious to know any time I install an application through sudo pacman -S 'application', I want to know do the maintainers of the Arch Linux repo ensures that the application does not invade the user’s privacy (I am not talking about applications that contains malware) such as collecting telemetry, searching through user’s file’s contents and reporting back to their servers, uploading user’s files to their servers etc?

joejohn · February 7, 2020, 11:41am

Honestly, I don’t think so. Not sure about AUR packages. Bad actors are everywhere. And, arch is not an exception.

unix_lover · February 7, 2020, 12:06pm

So you are saying you don’t think the archlinux repo maintainers check to see if applications do not invade privacy or are you saying you don’t think the applications invade the user’s privacy?

ringo · February 7, 2020, 12:10pm

personal i do care and users has also a eye on it, if it become known they transfer it to aur actually…

if you compare it to ubuntu or fedora , arch also does not a application or systemd package that goes goes for bugsfixing upstream also users invoke to the bugtrackers itself and packagers gona deal with it at the end. if a package invade they stop maintaining it at the end

anotherusername · February 26, 2020, 1:30pm

Most of the packages in their repos are open source, and if they’re in the arch official repo, they’re also quite popular. Hence more than one person has seen the source, read it, patched it, worked on it. I think you now understand what I’m trying to say.

And those that aren’t open source? In that case there’s still nothing arch devs can do to protect your privacy if that piece of software is indeed doing some edgy stuff behind our backs (unless they have any effective evidence to prove that). It’s up to the upstream developers themselves.

dalto · February 26, 2020, 2:00pm

For a minute let’s put aside if they should or not. How could they do this in any reasonable way?

Where you draw the line on privacy is totally different for each individual.
Someone would realistically have to review every open source package by hand
The non-open source packages would need to have the network traffic monitored and reverse engineered with every new release to determine what information is being leaked.

Ultimately, it is up to use as the end user to determine which software you are comfortable using on your system.