i was a little skeptical about the no aur but I mean it was just a mistake and honestly Wayland and X may as well be the same safety level. But regardless of it being the solution I am just going to take like 2 points out of the answer which is flatpaks and virtual machining
With the AUR you just have to be careful and understand how the package is built. But thanks to its transparency, you can know exactly what goes into it, and how safe it is. What you should definitely not do is type yay package_name and blindly install random stuff.
1 Like
yes, I always check the github of the project and only then I install it (also check the dependencies)
I know the PKGBUILD. Iâll try checking it more
Installing packages from the AUR requires sudo and a) the user asked for non sudo package managers, and b) if a problem with a package or application occurs, at least it does not have sudo rights using Flatpak. And Flatpak apps have a permission system, which is more secure and private than not having it. Wayland is also more secure than X as explained already. What evidence do you ask here? The evidence is the concept of it. That is more secure and private than X11.
A malicous application in the AUR is way worse than a malicous application installed with without root and with at least some permission rights on Flatpak. Like with XZ application you would update your Flatpak app just like you would update the package with your package manager.
I use the AUR myself too, but one has to know and understand what is happening and look beyond the install script if one is suspicious. The PKGBUILD script is rarely the issue itself, just like the installer with Flatpak itself is.
Itâs just parroted words written without any evidence. In what practical way does Wayland offer more security to you than Xorg? What security issue did you encounter on Xorg personally that Wayland solved for you?
Except the issue of getting the approval of idiots on Reddit, that is⌠
Wrong.
A malicious package in the AUR is not somehow worse than one in the Flatpak repository â itâs pretty much the same, if it wants to, and youâre foolish enough to let it, it will get complete control over your system. The significant difference is that itâs easy to discover malicious stuff in the AUR due to its transparent nature, but very difficult to discover it in flatpak. Updating the flatpak depends on the flatpak maintainer actually pushing an update. They are often very negligent in that regard. So no, you canât just âupdate itâ, if the update is not available. There is plenty of ancient stuff in Flatpak, some critical vulnerabilities that are years old.
The user is wrong in thinking that sudo is a security issue, instead of a security benefit.
2 Likes
Perfectly soundly written PKGBUILD from AUR can also package and install perfectly unsoundly written code from the source. So if one wants to be absolutely certain that nothing unsound is installed on their system, look into the source.
2 Likes
yeah. thats why i look at the github and Iâma start looking at the PKGBUILD too.
This is not to get approval of idiots on Reddit, just because you disagree. I recommend into reading what Wayland actually is and why it is more secure. Just like Wayland, Flatpak is not perfect but has controls and APIs in place to control specific parts and allow applications to do narrow things. Just because a program can have vulnerabilities does not negate the positive effects of control.
You donât provide evidence that X11 is not less secure than Wayland too. Asking people what security issues encountered personally and then to use something unsecure because one did not encounter one personally?
This argument is a null-argument, because updating the AUR package depends on the AUR maintainer actually pushing an update as well. The AUR has outdated packages as well and not all are maintained by trustful members. Just like with any package managers, you should only install applications from trusted sources (like the original maintainer of Flatpak package).
@IDKnix What do you mean by âgetting humbledâ?
Wrong again.
The advantage of dynamically linking libraries is that you donât have to update the package from the AUR to benefit from an update to a library. So, the moment a library that contains a vulnerability is updated (and those updates are pushed quickly by the distro maintainers), all packages that dynamically link to that library use the updated code without the vulnerability. Those packages do not have to be updated themselves.
Of course, this is not true for Flatpaks which statically link their own dependencies.
I never claimed that Xorg was more secure than Wayland. Iâm just calling out Reddit-level 
when I see it. Parrots repeat all over the web: âwAylAnD iS MorE sEcuRE tHaN x11â, yet nobody cares to provide a single argument or piece of evidence to support that nonsensical claim. Itâs not more secure, itâs just as bad, except it has crippled functionality, so itâs a bit more difficult to abuse.
1 Like
XD me too
1 Like
Thatâs just dancing on words. You still need to update the package. An AUR package can have dependencies like binary files or download from Git too.
Wrong. If you update a dynamically linked library, you donât need to rebuild everything that uses that library, as long as the API remains unchanged.
Thatâs the whole point od dynamically linking stuff. 
For example, when you updated xz a few days ago, you didnât need to update everything that uses xz to benefit from that update, as long as the linkage was dynamic (which is true for all repo packages and most AUR packages). On the other hand, you probably still have a bunch of Flatpaks that contain an old version of xz bundled in them, statically linked. Maybe one day their maintainers will push an update for them. Maybe.
1 Like
Did you personally encounter such an issue with Flatpak app? Or are you parroting what others say? This XZ issue wouldnât even make to most Flatpaks, only to those which are maintained. And in such a situation they would update the packages as well, just like the distro maintainer updated. So you build something in your mind. And worse, such an infected package would infect all linked packages as well.
In example there are packages in the official Arch repo, which sometimes donât get updated for weeks.
I can provide an argument of why Wayland is less secure - because thereâs no way in hell anyone would be able to rewrite all programs ever written for Linux to completely exclude X11 / XWayland from their system.
So absolute most of people will use X11 / XWayland alongside Wayland, which is very stupid.
The only thing youâre doing by introducing it therefore - is making your attack surface much bigger, and also making life of both devs (by wasting their time) and ordinary users (by taking away some features they had for years and introducing new 
) much worse.
1 Like
No, of course I didnât. Iâm not an idiot.
I donât use Flatpak.
But I understand how static linking works, to know itâs a terrible idea.
3 Likes
this sure is entertaining. I dont know much about linux so I can just sit back and relax
2 Likes