The URL used by the package is linked from the github page so that is probably an official source.
Perfect. Thanks mate 
You’re absolutely right, that title is definitely a better fit. I’m always happy to improve my modest English skills.
You’re welcome, @swh!
Thanks, @dalto it’s always nice to learn here. Removed it!
The only thing on that list I do is 5.
I am not sure it was a severe enough issue to warrant removal but it does show either laziness or lack of knowledge from the packager which is a red flag.
I don’t need this package at all. It was more of a bit of fun.
I also still update my AUR packages. I enabled diff now and try to check what changes before updating.
Cleaned up a bit again
─❯ LANG=C traur scan
Fetching package metadata for 33 installed packages...
Scanning 33 AUR packages...
Fetching maintainer data for 30 unique maintainers...
=== traur scan results ===
Scanned: 33 packages (0 errors)
TRUSTED: 28 OK: 5 SKETCHY: 0 SUSPICIOUS: 0 MALICIOUS: 0
=== 33 packages ===
traur: brave-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
B-SUBMITTER-CHANGED: Package maintainer (brave) differs from original submitter (toropisco)
traur: brave-origin-nightly-bin (trust: 68/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
traur: grayjay-bin (trust: 75/100)
Trust: OK
Negative signals:
! SA-HIGH-ENTROPY-HEREDOC: heredoc with high entropy (5.0 bits/byte, 345 bytes)
traur: traur (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: localsend-bin (trust: 80/100)
Trust: OK
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (noureddinex) differs from original submitter (Nixuge)
! B-ORPHAN-TAKEOVER: Adopted package with new git author (NourEddineX) — orphan takeover pattern
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: losslesscut-bin (trust: 81/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is github.com but source downloads from raw.githubusercontent.com
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is github.com but source downloads from raw.githubusercontent.com
traur: shell-color-scripts-git (trust: 83/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 3 entries but sha256sums has 1
M-VOTES-LOW: Package has very few votes (2)
T-SINGLE-COMMIT: Git history has only 1 commit
traur: pfetch-git (trust: 88/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
M-POP-ZERO: Popularity is 0 (no recent usage)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: papirus-folders-catppuccin-git (trust: 88/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
B-SUBMITTER-CHANGED: Package maintainer (catppuccin) differs from original submitter (Latipun)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: furmark (trust: 89/100)
Trust: TRUSTED
Negative signals:
B-MAINTAINER-SINGLE: Maintainer has only 1 package
B-SUBMITTER-CHANGED: Package maintainer (vinicentus) differs from original submitter (alou-S)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: mullvad-browser-bin (trust: 89/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 6 entries but sha256sums has 4
traur: mtplayer (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (zzzardoz) differs from original submitter (haawda)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: catppuccin-gtk-theme-mocha (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: cfetch (trust: 92/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (1)
M-POP-ZERO: Popularity is 0 (no recent usage)
M-GITHUB-STARS-LOW: Upstream GitHub repo has very few stars (3)
traur: f3 (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (Paragoumba) differs from original submitter (kyle)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: cantata (trust: 92/100)
Trust: TRUSTED
Negative signals:
M-OUT-OF-DATE: Package is flagged as out of date
B-SUBMITTER-CHANGED: Package maintainer (FabioLolix) differs from original submitter (arojas)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: open-tv-bin (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: fortune-mod-de (trust: 93/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (1)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: bruteforce-luks (trust: 93/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (1)
B-MAINTAINER-SINGLE: Maintainer has only 1 package
traur: python-materialyoucolor-git (trust: 93/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (4)
B-MAINTAINER-SINGLE: Maintainer has only 1 package
traur: klassy (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: librewolf-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: weasis-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (tugyan) differs from original submitter (Junker)
traur: plasma6-applets-wallpaper-effects (trust: 97/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (3)
traur: kde-material-you-colors (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: gaiasky (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: darkly-bin (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: plasma6-applets-panel-colorizer (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: plasma6-applets-plasmusic-toolbar (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: python-pywal16 (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: ramfetch (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: pacseek (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: plasma6-applets-kurve (trust: 100/100)
Trust: TRUSTED
No negative signals found.
Don’t forget to save that minimal AUR list
pacman -Qqem > ~/packages-AUR.txt && pacman -Qqetn > ~/packages-repository.txt
traur: ungoogled-chromium-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
B-MAINTAINER-SINGLE: Maintainer has only 1 package
It seems like most(all?) chromium based browsers set the setuid bit on chrome-sandbox
that’s the (I think) famous Eloston who is dedicated to his de-googled chrome project. as someone who has used his product for many years, it’s a lot of work to maintain.
“Maintainer has only 1 package” is a valid flag all the same I suppose.
I’m sorry, I didn’t get you. To save it for future reference?
I save this list every now and then so that, if I ever have to reinstall the system, I’ll always have a suitable, up-to-date list of all the programs on this system.
Everything verified and under control.
❯ traur scan
Fetching package metadata for 16 installed packages...
Scanning 16 AUR packages...
Fetching maintainer data for 15 unique maintainers...
=== traur scan results ===
Scanned: 16 packages (0 errors)
TRUSTED: 13 OK: 3 SKETCHY: 0 SUSPICIOUS: 0 MALICIOUS: 0
=== 16 packages ===
traur: brave-origin-nightly-bin (trust: 68/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
traur: picosnitch (trust: 77/100)
Trust: OK
Negative signals:
! P-SYSTEMD-CREATE: Creating/enabling systemd service
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: traur-bin (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: onlyoffice-bin (trust: 81/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 4 entries but sha256sums has 2
B-SUBMITTER-CHANGED: Package maintainer (dbermond) differs from original submitter (mikalair)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: multimarkdown (trust: 88/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
B-SUBMITTER-CHANGED: Package maintainer (csolisr) differs from original submitter (Ambrevar)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: proton-authenticator-bin (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (AlphaLynx) differs from original submitter (Cube1ber)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: waterfox-bin (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (Exorcism) differs from original submitter (hawkeye116477)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-argparse-from-file (trust: 94/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
M-GITHUB-STARS-LOW: Upstream GitHub repo has very few stars (1)
traur: pkglog (trust: 95/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
traur: betterbird-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (Posi) differs from original submitter (btstream)
traur: ttf-ms-fonts (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: virtio-win (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: ulauncher (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: timeshift-systemd-timer (trust: 98/100)
Trust: TRUSTED
Negative signals:
M-NO-URL: No upstream URL provided
traur: pacseek-bin (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: polychromatic (trust: 100/100)
Trust: TRUSTED
No negative signals found.
Here’s my scan …
$ traur scan
Fetching package metadata for 18 installed packages...
Scanning 18 AUR packages...
Fetching maintainer data for 18 unique maintainers...
=== traur scan results ===
Scanned: 18 packages (0 errors)
TRUSTED: 14 OK: 2 SKETCHY: 2 SUSPICIOUS: 0 MALICIOUS: 0
=== 18 packages ===
traur: 1password (trust: 47/100)
Trust: SKETCHY
Negative signals:
! P-EVAL-VAR: Dynamic code execution via eval
!! P-PASSWD-READ: Reading system password files
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 1 entries but sha256sums has 2
B-SUBMITTER-CHANGED: Package maintainer (1Password) differs from original submitter (rew1red)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: jdownloader2 (trust: 51/100)
Trust: SKETCHY
Negative signals:
! P-SYSTEMD-CREATE: Creating/enabling systemd service
T-AUTHOR-CHANGE: Git history shows multiple different authors
!! G-INSTALL-SUID: install with SUID/SGID mode bits
traur: brave-origin-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: traur-bin (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: heroic-games-launcher-bin (trust: 85/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (flaviofearn) differs from original submitter (cwrau)
T-AUTHOR-CHANGE: Git history shows multiple different authors
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is heroicgameslauncher.com but source downloads from github.com
traur: faugus-launcher (trust: 89/100)
Trust: TRUSTED
Negative signals:
P-SKIP-ALL: All checksums are SKIP (no integrity verification)
traur: masterpdfeditor (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-MAINTAINER-SINGLE: Maintainer has only 1 package
B-SUBMITTER-CHANGED: Package maintainer (pgoetz) differs from original submitter (farseerfc)
traur: zapzap (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (alllexx88) differs from original submitter (bordam)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: softmaker-office-2024-bin (trust: 93/100)
Trust: TRUSTED
Negative signals:
P-HTTP-SOURCE: Plain HTTP source URL (no TLS, MITM risk)
traur: plasma6-applets-appgrid (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: vuescan-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (FabioLolix) differs from original submitter (ninian)
traur: xnviewmp (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (Corax) differs from original submitter (oliwer)
traur: xdg-terminal-exec (trust: 99/100)
Trust: TRUSTED
Negative signals:
M-OUT-OF-DATE: Package is flagged as out of date
traur: plasma6-applets-panel-colorizer (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: arch-update (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: protonplus (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: ventoy-bin (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: betterbird-de-bin (trust: 100/100)
Trust: TRUSTED
No negative signals found.
Never thought that 1Password is SKETCHY only with 47 points. 
Because traur just applies a heuristic mostly glued together with regex. It’s nice to have - if you trust traur, but it doesn’t make any actual judgement if the found items are necessary or make sense.
There is some interesting stuff in there.
P-EVAL-VAR- This is because it uses EVAL, somewhat unnecessarily.P-PASSWD-READ- This is kind of messed up honestly. It reads the/etc/passwdfile from the host the package is built on and then installs usernames from it into the package. So if you build this on one host and install it on a different host it will take the users from the build host.P-SUID-BIT- This is thechrome-sandboxthing that all chromium/electron apps seem to need.P-CHECKSUM-MISMATCH- This looks like a false positive to me
It also seems to use setgid in the post install script.
The G-INSTALL-SUID is because it creates /opt/jdownloader with setgid permission.
IMHO by the nature of jdownloader and the fact that it self-updates its components I would suggest switching to the flatpak package, just to have some sandboxing.
Thanks, @dalto !
Would you mix packages from AUR with others from Flathub? Never wanted to mix them …