Install Brave - from the AUR or Flatpak?

I am running brave.bin from AUR as recommended from brave website

For the most part, I use the settings from Kuketz

thx @swh, I will try this

I can understand if the reason to avoid the AUR is your preference to sandbox/contain a specific app and its respective files within a Flatpak, as you’ve mentioned.

It may not be necessary to say, but as others have somewhat touched on, there’s nothing inherently wrong with installing a browser from the AUR. Packages within the AUR are structured and installed the same way official packages are installed, using the PKGBUILD standard. This is how 99-100% of the software on any given Arch system is installed.

The hypothetical risk the AUR poses is that a package maintainer does not use official sources within the PKGBUILD, introducing potential for exploitation, whether wilful or unintentional.

• If a PKGBUILD is using official sources and is well maintained, then functionally it is little different to an official Arch package, or downloading and installing it yourself.
• If a PKGBUILD uses an unofficial source, when an official one is available, a community that’s paying attention will quickly pick up on this, as it’s completely transparent. This would especially be the case for a popular package like brave-bin, which is currently ranked 6th out of 90,240 packages.

Thanks a lot @Bink, I can understand what you wrote and my concerns about the AUR are no longer valid.

I have learnt that with any software you need to trust the source. Even if a PKGBUILD in AUR looks good, you need to trust the source that the package is made from.

If you look at the brave-bin PKGBUILD file on the AUR web search page, you’ll see that it pulls archive files from Brave/s github space and unarchives them.

Ref:

This is way different than some user building their own brave package and sticking it on a AWS server, and making an AUR package to have Arch/* users use that.

That’s true of every bit of software you run, from the kernel to the applications. With the AUR, you can only check that it is grabbed from the official source and that no malicious patches are applied. I suppose you could also read all the source code, but the Linux kernel alone would be more than a full time job.

“Trust, but verify” they say but running a free and open source system is mostly trust because impossible to verify

yes it does

and definitely install Brave using the AUR , flatpak gives problems.

I’ve now installed Brave (brave-bin) from the AUR on my main computer, and I think it’ll become my daily driver. Good configuration options and a secure ad blocker, what more could I want (for now). Thanks for your help and suggestions.

Edit: typo

There is no brave-git in the AUR @Darius

sory, typo .. I mean brave-bin

I was just getting ready to respond to @Darius. The only instances of Brave Browser in the AUR are brave, brave-bin, brave-beta-bin, brave-nightly-bin.

I’m a bit late to the discussion, but I’ll add my two cents for what it’s worth.

I believe sandboxing a browser is always a good idea, so I lean towards Flatpak. However, since brave-beta isn’t available in the Flatpak repo, I’ve opted for brave-beta-bin from the AUR instead.

As a note, both brave-bin’s PKGBUILD and brave-beta-bin’s PKGBUILD include adjustments to assist working with Firejail’s sandboxing.

chmod 4755 "$pkgdir/opt/brave-bin/chrome-sandbox"

I’ll have to take a peak at that. Thanks

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.