Not sure what “mix” mean. Flatpak/flathub is another means to get applications, they don’t “mix”. They are installed in a separate place so they don’t disturb any system packages.
Just saying, I probably wouldn’t install flatpak just for it, but if you’re maybe already using flatpak I would take that into consideration.
Flatpak applications are isolated, so they shouldn’t interfere with AUR packages from a package management concern (Is that where your concerns come from?)
I would like to point out that Flatpak sandboxing is really weak and in most cases easy to break, at least with defaults. I read a really well done blog post many moons ago which investigated the sandboxing of many applications. The security researcher could break out of the sandbox in almost all cases. Unfortunately I can’t find said post right now 
That’s not what I mean. I always wanted to use packages from one community source only. On Arch Linux I used the AUR, and on all other distributions I used packages from Flathub. So, I didn’t want to have packages from the distribution, AUR, and Flathub. That’s what I mean.
I understand. Well, I don’t care about that and never experienced problems, but if you want to stick to one solution per device do as you wish of course 
Maybe I should try … 
no problems like @chriscomputing mixing. but I hear you, I just want one community source only. I have two flatpak apps only because the AUR packages [I won’t name them] were not functioning well on my rig.
So for me to go outside of the community is only a matter of performance not preference. But even if it only were preference I think you’d be fine.
2 cents
My approach is not to be dogmatic but being practical. If the package is available in the official repos, that’s usually 99.99% the right choice.
Flatpak vs. AUR use what fits best. I usually favor flatpak over AUR if:
Currently I have 90 AUR packages and 15 flatpak.
Since the last few days we are probably all aware how the AUR works, this is the flathub policy for comparison. There’s also a lot more resources and eyes on flathub, since it is the app distribution system for several distros some of them corporate spending money.
Here’s mine. Because of this, I’ve removed the brscan-skey package (turns out I didn’t need it for my scanner to work).
╰─❮ traur scan
Fetching package metadata for 10 installed packages...
Scanning 10 AUR packages...
Fetching maintainer data for 9 unique maintainers...
=== traur scan results ===
Scanned: 10 packages (0 errors)
TRUSTED: 7 OK: 2 SKETCHY: 1 SUSPICIOUS: 0 MALICIOUS: 0
=== 10 packages ===
traur: brscan-skey (trust: 44/100)
Trust: SKETCHY
Negative signals:
! P-SYSTEMD-CREATE: Creating/enabling systemd service
! P-INSTALL-PERSISTENCE: Persistence mechanism in install script
B-SUBMITTER-CHANGED: Package maintainer (0x2501) differs from original submitter (leidola)
! B-ORPHAN-TAKEOVER: Adopted package with new git author (0x2501) — orphan takeover pattern
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: via-bin (trust: 74/100)
Trust: OK
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
M-NO-LICENSE: No license specified
B-SUBMITTER-CHANGED: Package maintainer (buddyspencer) differs from original submitter (timescam)
! B-ORPHAN-TAKEOVER: Adopted package with new git author (Andreas Wachter) — orphan takeover pattern
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: traur-bin (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: autopanogiga (trust: 84/100)
Trust: TRUSTED
Negative signals:
M-POP-ZERO: Popularity is 0 (no recent usage)
B-SUBMITTER-CHANGED: Package maintainer (Emeric) differs from original submitter (dracorp)
T-AUTHOR-CHANGE: Git history shows multiple different authors
! T-DIFF-SOURCE-DOMAIN-CHANGED: Source URLs changed to new domain(s): emeric.io
traur: proton-drive-sync-prerelease-bin (trust: 84/100)
Trust: TRUSTED
Negative signals:
! M-VOTES-ZERO: Package has zero votes
M-POP-ZERO: Popularity is 0 (no recent usage)
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: brscan4 (trust: 95/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
traur: klassy (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: asusctl (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: pacseek (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: rog-control-center (trust: 100/100)
Trust: TRUSTED
No negative signals found.
The traur scan is nice to have. I use it too. It is good for the present and the future packages. But what about the past? Has your system already been infected in the past?
If you are concerned, like I am, I strongly suggest to use clamav: “ClamAV® is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats.”
It is in the “extra” repo:
clamav always finds something on my system, but so far only false positives.
I verify each clamav finding with virustotal:
LANG=C traur scan
Fetching package metadata for 15 installed packages...
Scanning 15 AUR packages...
Fetching maintainer data for 13 unique maintainers...
=== traur scan results ===
Scanned: 15 packages (0 errors)
TRUSTED: 12 OK: 2 SKETCHY: 1 SUSPICIOUS: 0 MALICIOUS: 0
=== 15 packages ===
traur: timeshift-autosnap (trust: 57/100)
Trust: SKETCHY
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
B-SUBMITTER-CHANGED: Package maintainer (racehd) differs from original submitter (gobonja)
! B-ORPHAN-TAKEOVER: Adopted package with new git author (racehd) — orphan takeover pattern
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: ungoogled-chromium-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
B-MAINTAINER-SINGLE: Maintainer has only 1 package
traur: traur-bin (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: losslesscut-bin (trust: 81/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is github.com but source downloads from raw.githubusercontent.com
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is github.com but source downloads from raw.githubusercontent.com
traur: heroic-games-launcher-bin (trust: 85/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (flaviofearn) differs from original submitter (cwrau)
T-AUTHOR-CHANGE: Git history shows multiple different authors
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is heroicgameslauncher.com but source downloads from github.com
traur: pinta (trust: 85/100)
Trust: TRUSTED
Negative signals:
! B-MAINTAINER-BATCH: Maintainer created 21 packages in the last 48 hours
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-inputs (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (yochananmarqos) differs from original submitter (majorx234)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: ytdlp-gui (trust: 92/100)
Trust: TRUSTED
Negative signals:
M-OUT-OF-DATE: Package is flagged as out of date
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: librewolf-bin (trust: 95/100)
Trust: TRUSTED
Negative signals:
M-OUT-OF-DATE: Package is flagged as out of date
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: qdiskinfo-bin (trust: 97/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (4)
traur: protonup-qt (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: breitbandmessung-bin (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: python-steam (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: pacseek (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: naps2-bin (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur scan
Fetching package metadata for 4 installed packages...
Scanning 4 AUR packages...
Fetching maintainer data for 4 unique maintainers...
=== traur scan results ===
Scanned: 4 packages (0 errors)
TRUSTED: 3 OK: 1 SKETCHY: 0 SUSPICIOUS: 0 MALICIOUS: 0
=== 4 packages ===
traur: traur-bin (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: freetube-bin (trust: 85/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source_x86_64 has 3 entries but sha256sums_x86_64 has 1
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: systemd-manager-tui (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: extract-xiso (trust: 92/100)
Trust: TRUSTED
Negative signals:
M-POP-ZERO: Popularity is 0 (no recent usage)
T-AUTHOR-CHANGE: Git history shows multiple different authors
also I have some packages from Chaotic, but traur doesn’t scan them
All 9 of my packages show as TRUSTED but most have caveats…
=== traur scan results ===
Scanned: 10 packages (0 errors)
TRUSTED: 9 OK: 1 SKETCHY: 0 SUSPICIOUS: 0 MALICIOUS: 0
=== 10 packages ===
traur: traur (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: deadbeef (trust: 84/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 3 entries but sha512sums has 1
M-OUT-OF-DATE: Package is flagged as out of date
B-SUBMITTER-CHANGED: Package maintainer (FabioLolix) differs from original submitter (arojas)
traur: floorp-bin (trust: 85/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source_x86_64 has 3 entries but sha256sums_x86_64 has 1
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: tartube (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (mhdi) differs from original submitter (ragouel)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: tor-browser-bin (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (grufo) differs from original submitter (FabioLolix)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: waterfox-bin (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (Exorcism) differs from original submitter (hawkeye116477)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: masterpdfeditor-free (trust: 95/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
traur: betterbird-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (Posi) differs from original submitter (btstream)
traur: librewolf-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: xnviewmp (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (Corax) differs from original submitter (oliwer)
Not much here.
$ traur scan
Fetching package metadata for 7 installed packages...
Scanning 7 AUR packages...
Fetching maintainer data for 7 unique maintainers...
=== traur scan results ===
Scanned: 7 packages (0 errors)
TRUSTED: 6 OK: 1 SKETCHY: 0 SUSPICIOUS: 0 MALICIOUS: 0
=== 7 packages ===
traur: traur (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: epson-inkjet-printer-escpr (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (hcartiaux) differs from original submitter (FFY00)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: cryptomator (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (ajgraves) differs from original submitter (Foxboron)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: chromium-widevine (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (envolution) differs from original submitter (Scimmia)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: helium-browser-bin (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: yay (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: pacseek (trust: 100/100)
Trust: TRUSTED
No negative signals found.
Very simple.
traur scan
Fetching package metadata for 11 installed packages...
Skipping 2 not on AUR: chaotic-keyring, chaotic-mirrorlist
Scanning 9 AUR packages...
Fetching maintainer data for 9 unique maintainers...
=== traur scan results ===
Scanned: 9 packages (0 errors)
TRUSTED: 6 OK: 3 SKETCHY: 0 SUSPICIOUS: 0 MALICIOUS: 0
=== 9 packages ===
traur: brave-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
B-SUBMITTER-CHANGED: Package maintainer (brave) differs from original submitter (toropisco)
traur: brother-hl2130 (trust: 75/100)
Trust: OK
Negative signals:
P-HTTP-SOURCE: Plain HTTP source URL (no TLS, MITM risk)
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
M-VOTES-LOW: Package has very few votes (1)
M-POP-ZERO: Popularity is 0 (no recent usage)
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-SINGLE-COMMIT: Git history has only 1 commit
traur: traur-bin (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: deadbeef (trust: 84/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 3 entries but sha512sums has 1
M-OUT-OF-DATE: Package is flagged as out of date
B-SUBMITTER-CHANGED: Package maintainer (FabioLolix) differs from original submitter (arojas)
traur: downgrade (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: yay (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: dosbox-staging-bin (trust: 97/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (2)
traur: protonup-qt-bin (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: paru (trust: 100/100)
Trust: TRUSTED
No negative signals found.
~ took 3s
❯
Nothing malicious or suspicious on my side either some sketchy one though.
❯ traur scan
Fetching package metadata for 47 installed packages...
Scanning 47 AUR packages...
Fetching maintainer data for 39 unique maintainers...
=== traur scan results ===
Scanned: 47 packages (0 errors)
TRUSTED: 34 OK: 9 SKETCHY: 4 SUSPICIOUS: 0 MALICIOUS: 0
=== 47 packages ===
traur: brscan-skey (trust: 44/100)
Trust: SKETCHY
Negative signals:
! P-SYSTEMD-CREATE: Creating/enabling systemd service
! P-INSTALL-PERSISTENCE: Persistence mechanism in install script
B-SUBMITTER-CHANGED: Package maintainer (0x2501) differs from original submitter (leidola)
! B-ORPHAN-TAKEOVER: Adopted package with new git author (0x2501) — orphan takeover pattern
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: libsdrplay (trust: 50/100)
Trust: SKETCHY
Negative signals:
! P-SYSTEMD-CREATE: Creating/enabling systemd service
! P-UDEV-RULE: Udev rule creation
P-HTTP-SOURCE: Plain HTTP source URL (no TLS, MITM risk)
B-SUBMITTER-CHANGED: Package maintainer (edombek) differs from original submitter (danmc)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: ventoy (trust: 55/100)
Trust: SKETCHY
Negative signals:
P-HTTP-SOURCE: Plain HTTP source URL (no TLS, MITM risk)
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 69 entries but sha256sums has 22
!! G-BUSYBOX-SHELL: Busybox shell/network subcommand abuse
traur: python-ftputil (trust: 59/100)
Trust: SKETCHY
Negative signals:
! P-PYTHON-INLINE: Python inline code execution
M-OUT-OF-DATE: Package is flagged as out of date
B-SUBMITTER-CHANGED: Package maintainer (alhirzel) differs from original submitter (nic96)
! B-ORPHAN-TAKEOVER: Adopted package with new git author (cqzw555) — orphan takeover pattern
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: electron37-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: brave-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
B-SUBMITTER-CHANGED: Package maintainer (brave) differs from original submitter (toropisco)
traur: brave-origin-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: teams-for-linux (trust: 74/100)
Trust: OK
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (pschichtel) differs from original submitter (ivelkov)
! G-DOWNLOAD-NODE: Node.js HTTP download or npx remote execution
traur: nct6687d-dkms-git (trust: 75/100)
Trust: OK
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (darose) differs from original submitter (benlypan)
! B-ORPHAN-TAKEOVER: Adopted package with new git author (David Rosenstrauch) — orphan takeover pattern
T-AUTHOR-CHANGE: Git history shows multiple different authors
! T-DIFF-CHECKSUM-REMOVED: All checksums changed to SKIP in latest update
traur: bambustudio-nvidia-bin (trust: 77/100)
Trust: OK
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
B-MAINTAINER-SINGLE: Maintainer has only 1 package
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is github.com but source downloads from archive.archlinux.org
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is github.com but source downloads from archive.archlinux.org
traur: traur (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: brother-mfc-7460dn (trust: 78/100)
Trust: OK
Negative signals:
P-HTTP-SOURCE: Plain HTTP source URL (no TLS, MITM risk)
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
M-VOTES-LOW: Package has very few votes (3)
M-POP-ZERO: Popularity is 0 (no recent usage)
B-SUBMITTER-CHANGED: Package maintainer (severach) differs from original submitter (vivien)
traur: coolercontrold-bin (trust: 80/100)
Trust: OK
Negative signals:
! P-SYSTEMD-CREATE: Creating/enabling systemd service
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: gearlever (trust: 84/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 3 entries but sha256sums has 1
M-OUT-OF-DATE: Package is flagged as out of date
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-steamgriddb (trust: 84/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 3 entries but sha256sums has 1
! T-DIFF-SOURCE-DOMAIN-CHANGED: Source URLs changed to new domain(s): sourceforge.net
traur: accounts-qml-module (trust: 85/100)
Trust: TRUSTED
Negative signals:
P-SKIP-ALL: All checksums are SKIP (no integrity verification)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: neofetch (trust: 85/100)
Trust: TRUSTED
Negative signals:
P-SKIP-ALL: All checksums are SKIP (no integrity verification)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: heroic-games-launcher-bin (trust: 85/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (flaviofearn) differs from original submitter (cwrau)
T-AUTHOR-CHANGE: Git history shows multiple different authors
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is heroicgameslauncher.com but source downloads from github.com
traur: vkbasalt-cli (trust: 89/100)
Trust: TRUSTED
Negative signals:
P-SKIP-ALL: All checksums are SKIP (no integrity verification)
traur: python-pathvalidate (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (fordprefect) differs from original submitter (fl0w1)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: sdrpp-git (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (thotypous) differs from original submitter (ryzerth)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: helium-browser-bin (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: splix (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (roceb) differs from original submitter (arojas)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: woeusb-ng (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (barbuk) differs from original submitter (Waxy)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: libsoup (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (HurricanePootis) differs from original submitter (City-busz)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: lmstudio-bin (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (noureddinex) differs from original submitter (MadGoat)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-inputs (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (yochananmarqos) differs from original submitter (majorx234)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-setuptools-reproducible (trust: 95/100)
Trust: TRUSTED
Negative signals:
T-SINGLE-COMMIT: Git history has only 1 commit
M-GITHUB-STARS-LOW: Upstream GitHub repo has very few stars (7)
traur: brscan4 (trust: 95/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
traur: httpdirfs (trust: 95/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
traur: python-gevent-eventemitter (trust: 95/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
M-GITHUB-STARS-LOW: Upstream GitHub repo has very few stars (7)
traur: airspyhf-git (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: etcher-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (ali.molaei) differs from original submitter (ams1)
traur: coolercontrol-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: patool (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: plasma6-applets-appgrid (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: proton-mail-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (AlphaLynx) differs from original submitter (yochananmarqos)
traur: hytale-launcher-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: xnviewmp (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (Corax) differs from original submitter (oliwer)
traur: parallel-hashmap (trust: 97/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (2)
traur: python-desktop-entry-lib (trust: 97/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (4)
traur: fvs2 (trust: 98/100)
Trust: TRUSTED
Negative signals:
M-GITHUB-STARS-LOW: Upstream GitHub repo has very few stars (2)
traur: python-steam (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: dwarfs-bin (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: protonplus (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: python-fvs (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: mprime (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur finding issues with traur… that’s funny.
traur: traur (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
Thanks @mbod, totally forgot about ClamAV!
Do you need this? You can usually remove these old electron versions.
This one correctly triggers flags because it runs a script on the users machine as post-install step. That being said, it seems to be a script provided by the Brother application. While that is definitely sketchy, I don’t know anything about this application so it could be required.
Is this doing anything useful these days? When I last looked at(which was a quite a while ago), it was doing basic file scans mostly looking for files compromised with Windows viruses.
At the time, infecting files that way wasn’t really a common attack vector.
Yeah i’ve taken the time, seeing those, to do a cleaup and remove some unecessary packages.
Removed :
❯ traur scan
Fetching package metadata for 34 installed packages...
Scanning 34 AUR packages...
Fetching maintainer data for 26 unique maintainers...
=== traur scan results ===
Scanned: 34 packages (0 errors)
TRUSTED: 25 OK: 8 SKETCHY: 1 SUSPICIOUS: 0 MALICIOUS: 0
=== 34 packages ===
traur: ventoy (trust: 55/100)
Trust: SKETCHY
Negative signals:
P-HTTP-SOURCE: Plain HTTP source URL (no TLS, MITM risk)
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 69 entries but sha256sums has 22
!! G-BUSYBOX-SHELL: Busybox shell/network subcommand abuse
traur: brave-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
B-SUBMITTER-CHANGED: Package maintainer (brave) differs from original submitter (toropisco)
traur: brave-origin-bin (trust: 65/100)
Trust: OK
Negative signals:
!! P-SUID-BIT: Setting SUID/SGID bit (privilege escalation)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: teams-for-linux (trust: 73/100)
Trust: OK
Negative signals:
M-OUT-OF-DATE: Package is flagged as out of date
B-SUBMITTER-CHANGED: Package maintainer (pschichtel) differs from original submitter (ivelkov)
! G-DOWNLOAD-NODE: Node.js HTTP download or npx remote execution
traur: nct6687d-dkms-git (trust: 75/100)
Trust: OK
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (darose) differs from original submitter (benlypan)
! B-ORPHAN-TAKEOVER: Adopted package with new git author (David Rosenstrauch) — orphan takeover pattern
T-AUTHOR-CHANGE: Git history shows multiple different authors
! T-DIFF-CHECKSUM-REMOVED: All checksums changed to SKIP in latest update
traur: bambustudio-nvidia-bin (trust: 77/100)
Trust: OK
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
B-MAINTAINER-SINGLE: Maintainer has only 1 package
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is github.com but source downloads from archive.archlinux.org
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is github.com but source downloads from archive.archlinux.org
traur: traur-bin (trust: 77/100)
Trust: OK
Negative signals:
! P-PACMAN-HOOK: Pacman hook creation (unusual for AUR packages)
traur: brother-mfc-7460dn (trust: 78/100)
Trust: OK
Negative signals:
P-HTTP-SOURCE: Plain HTTP source URL (no TLS, MITM risk)
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
M-VOTES-LOW: Package has very few votes (3)
M-POP-ZERO: Popularity is 0 (no recent usage)
B-SUBMITTER-CHANGED: Package maintainer (severach) differs from original submitter (vivien)
traur: coolercontrold-bin (trust: 80/100)
Trust: OK
Negative signals:
! P-SYSTEMD-CREATE: Creating/enabling systemd service
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-steamgriddb (trust: 84/100)
Trust: TRUSTED
Negative signals:
P-CHECKSUM-MISMATCH: checksum count mismatch: source has 3 entries but sha256sums has 1
! T-DIFF-SOURCE-DOMAIN-CHANGED: Source URLs changed to new domain(s): sourceforge.net
traur: accounts-qml-module (trust: 85/100)
Trust: TRUSTED
Negative signals:
P-SKIP-ALL: All checksums are SKIP (no integrity verification)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: heroic-games-launcher-bin (trust: 85/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (flaviofearn) differs from original submitter (cwrau)
T-AUTHOR-CHANGE: Git history shows multiple different authors
! B-BIN-DOMAIN-MISMATCH: -bin package upstream is heroicgameslauncher.com but source downloads from github.com
traur: neofetch (trust: 85/100)
Trust: TRUSTED
Negative signals:
P-SKIP-ALL: All checksums are SKIP (no integrity verification)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: vkbasalt-cli (trust: 89/100)
Trust: TRUSTED
Negative signals:
P-SKIP-ALL: All checksums are SKIP (no integrity verification)
traur: libsoup (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (HurricanePootis) differs from original submitter (City-busz)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: lmstudio-bin (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (noureddinex) differs from original submitter (MadGoat)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-inputs (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (yochananmarqos) differs from original submitter (majorx234)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-pathvalidate (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (fordprefect) differs from original submitter (fl0w1)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: woeusb-ng (trust: 92/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (barbuk) differs from original submitter (Waxy)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-setuptools-reproducible (trust: 95/100)
Trust: TRUSTED
Negative signals:
T-SINGLE-COMMIT: Git history has only 1 commit
M-GITHUB-STARS-LOW: Upstream GitHub repo has very few stars (7)
traur: httpdirfs (trust: 95/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
traur: python-gevent-eventemitter (trust: 95/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
M-GITHUB-STARS-LOW: Upstream GitHub repo has very few stars (7)
traur: brscan4 (trust: 95/100)
Trust: TRUSTED
Negative signals:
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
traur: airspyhf-git (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: patool (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: proton-mail-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (AlphaLynx) differs from original submitter (yochananmarqos)
traur: hytale-launcher-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: coolercontrol-bin (trust: 96/100)
Trust: TRUSTED
Negative signals:
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: xnviewmp (trust: 96/100)
Trust: TRUSTED
Negative signals:
B-SUBMITTER-CHANGED: Package maintainer (Corax) differs from original submitter (oliwer)
traur: parallel-hashmap (trust: 97/100)
Trust: TRUSTED
Negative signals:
M-VOTES-LOW: Package has very few votes (2)
traur: fvs2 (trust: 98/100)
Trust: TRUSTED
Negative signals:
M-GITHUB-STARS-LOW: Upstream GitHub repo has very few stars (2)
traur: python-steam (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: protonplus (trust: 100/100)
Trust: TRUSTED
No negative signals found.
traur: python-fvs (trust: 100/100)
Trust: TRUSTED
No negative signals found.
Spotted this on the Arch Linux forum - https://bbs.archlinux.org/viewtopic.php?id=313955
A long and detailed article about using traur:
No TL;DR in the same way that you should always read the PKGBUILD 
and I manually inspect PKGBUILDs, so my trust in these four packages is my trust in what they provide