This whole discussion is basically telling everybody again that the AUR is anonymous. There are probably lots of bad guys with packages on the AUR and you dont know it. Knowing this “one guy” is just a good reminder about the overall threat level.
The lesson learned is clear: Check the PKGBUILD before you install anything from the AUR.You do not need to be a programmer to do this. Just check the “source” and the “patches” which are being used to build the package. If you trust the source, then go for it.
This comment is in reference to the comparison of using the AUR to build a package vs building it yourself. In other words, we are comparing packaging/installation methods.
The OP is feeling that the AUR is unsafe because anyone can post a package there. My comment is in direct reference to that.
The question of if the software itself is safe or not isn’t relevant to this particular comparison. If the software itself isn’t safe, whether you pull it from AUR, build it yourself, use a repo package or any other packaging mechanism makes no difference.
What I was discussing is if the AUR packaging is safe or not. This is because the packaging can inject unsafe things even if the software is 100% trustworthy.
Taken in context, the relevance of my comment is that the AUR is an extremely safe packaging source compared to other sources if you use it properly. I am not proposing that the AUR magically makes upstream sources safer to use.
With most packages, you need to trust the packager since you have no easy way of knowing what is inside. With AUR, you don’t need to trust the packager since you can review it yourself as part of the installation/update process.
No matter how well-written a PKGBUILD is (that is, it is not injecting anything nasty into the built package), no matter how much you review a PKGBUILD and how transparent the building mechanism is, there is still a difference between transparency and safety.
My point is with a perfectly fine and transparent packaging mecahanism, one could still end up building an unsafe package.
From AUR’s PKGBUILD transparency to regarding AUR as “the safest 3rd party repo” is a stretch in my thinking.
However your further explanation put forward some points in the light of which your initial comment can be interpret differently.
Right, but you are taking that comment completely out of context.
That comment is part of a discussion, it isn’t meant to stand alone as an independent statement.
That being said, it specifically reads: “AUR is one of the safest 3rd party repos”. That should not imply that all the software in AUR is safe. It should imply, that compared to other 3rd party repos, AUR is one of the safest as long as your review the PKGBUILDs.
In no circumstance should that be intepreted as “All software in the AUR is safe if you review the PKGBUILD”
I could agree on this but with some “modifications”:
Compared to other 3rd party repos, AUR’s PKGBUILDs make the process of how a package is built and from what transparent to the user. In that sense it is the most transparent system.
It could potentially be the safest system as long as the user knows and trust what it is that goes into that package.
The latter, in my mind, requires that the user has a way of making sure about the “sanity” of the code from which the package is built with Arch’s transparent package building mechanism.
It has bin a long time since I used those, but those do those display the changes and ask for confirmation as part of the update/installation process? Or, at least, have an option to do that?
That would be more concerning if Gabe Newell went around publicly soliciting advice on how to write viruses to prove a strange point, but to my knowledge he hasn’t done that yet so steam is probably safe
