Is it safe to use apps that are not listed in the Arch/Aur repositories?

Hi friends.

I’m interested in trying out the EmberGen real-time particle simulation program, it’s a little-known app because it’s new, but it seems like a safe company and app, they even have a version for Linux:

image

But I can’t find the app in the Arch/Aur repositories, and all the apps I’ve ever needed I’ve always found in Arch/Aur. So, is it safe to install apps that don’t appear in Arch/Aur?

I know that the safe repositories are those of Arch, and in Aur you have to be a little more careful since there could be some malicious app. Am I right?

So, should I download the . zip of the app, unzip it, and run it as a Windows .exe? It doesn’t say if it’s a deb/rpm/arch compatible package, so I assume it’s one of those universal files that our friends here on the forum told me about.

Thanks in advance.

This is unanswerable. Each product/application needs to be investigated one at a time to determine if they are safe.

2 Likes

My premise would be: it’s unsafe until proven it’s not.

3 Likes

Man, that is expensive. Are you sure you wouldn’t rather spend some money on Blender training and learn particle simulation for Blender? Or is this needed for work/school?

If it’s just for personal projects, Blender’s Eevee is really good, you know.




1 Like

Just addressing the topic’s question itself for a moment:

Is it safe to use apps that are not listed in the Arch/Aur repositories?

The context is: using software direct from the developer, instead of Arch/AUR repositories.

Perhaps what needs clarity is what is meant by “safe”. Security? System stability? Best practice? Something else?

In terms of best practice and system stability, I might argue that it is safer to use the Arch/AUR repositories. Installing and uninstalling is made much cleaner. If the package is not currently available in either as is the case here, you might consider creating your own PKGBUILD file for this application, so you can install it cleanly on your system. Side-stepping this process can potentially result in system file conflicts, and difficulty correctly uninstalling that app.

In terms of security, the Arch/AUR repositories do not add security. If you can’t trust an app direct from the developer, getting it from the Arch/AUR does not change that.

4 Likes

if an AUR package has a -git suffix it’s basically the same as getting it from github yourself?
no one ever talks about pulling that stuff in with curl–I had to do it for something I needed and have been looking over my shoulder ever since. edit-spell

1 Like

I think the majority of AUR packages are pulling their source or binaries directly from the official developers sources, regardless of whether they are -git packages. Binary packages can be pulled from Github also. The only difference with -git and most non-bin open-source packages, is they’re compiled locally on your system.

When reviewing an AUR package’s legitimacy, that’s one of the checks. Some packages do separately pull in custom patches from a non-original developer source (eg: obs-studio-tytan652 and vlc-luajit). The merit of these packages needs to be considered.

2 Likes

fascinating, did not know this. in selecting AUR packages I always go for the existing binary. I love the idea, also, of having a package compiled locally–but would have to relinquish a bit of trust on the rundeps they pull in.
I can’t thank you enough for parsing what I only understood conceptually,

2 Likes

I don’ love the idea for big apps :grinning: , it can take a lot of resources (CPU load+memory & disk space) and a lot of compilation time.

2 Likes

A -git suffix means the package is being built from source code on your machine but from the latest commits made in the source code. This may or may not have been tested or released yet.

If you don’t have any compelling reason to install a version of a software built on the latest commits, I would personally go with the non -git. If the software is open source, the the released code should be downloaded and built locally on your system as well.

2 Likes

Hi friends, sorry for taking so long to reply, I have time now and I’m answering some threads.

I actually only use Blender and it’s my favorite program. But EmberGen has 15 days free license and unlimited/no export license after those 15 days.

But I found the real-time particle simulation interesting. But yes, Blender has always been my favorite.

The only thing I was mostly worried about was whether the program could carry viruses or malicious code.

I’m not really worried about it carrying minor stuff like telemetry or such, since I use other non-open source programs like Steam. So the only thing I was worried about was viruses like trojans, keyloggers, cryptominers, OS encryptors, etc.

Anyway, in the end I didn’t install it due to lack of time. :sweat_smile:

1 Like