upvote

points

by jeremyjh7 hours ago |
comments
upvoteby akdev1l6 hours ago|
[-]
The canonical answer to any concerns with the AUR is always “just read the PKGBUILDs bro”
reply
upvoteby hootz5 hours ago|
parent|
[-]
For every single update, for all your AUR packages, all the time.

You know that thing where if you make a security review feature obnoxious, after some time people will just accept everything without even looking? Yeah...

reply
upvoteby ptx2 hours ago|
parent|
next
[-]
> For every single update, for all your AUR packages, all the time.

Yes, that's what I used to do when I ran Arch. It's usually easy. The PKGBUILD is usually small to begin with and the difference for a new version should normally be something like the URL and the version number and not much else, so you can just diff it against the old version.

reply
upvoteby hootz2 hours ago|
parent|
next
[-]
I do it too, but I can see why this can be a problem for users. There should be an "official" scan for potentially malicious changes. I use a third party AUR scanner to help me with this.
reply
upvoteby MMMaellon1 hours ago|
parent|
[-]
What third party scanner do you use?
reply
upvoteby streb-lo1 hours ago|
parent|
prev|
[-]
paru presents all pkgbuild diffs to you before installing, that's what I use to read them.

I usually only use AUR to install trusted pre-compiled binary packages, the scripts are very simple and the only thing that should ever change is the url and the sha256

reply
upvoteby DavideNL1 hours ago|
parent|
[-]
Yea, paru makes it really easy, i noticed the diffs are a little easier/different versus yay. Not sure though if it's a config setting, haven't figured out the details yet.

Also paru shows you coloured code syntax if you have `bat` installed, i think.

reply
upvoteby rossvor4 hours ago|
parent|
prev|
[-]
You are thinking of the alarm fatigue[1], but it doesn't apply here -- there are no constant alerts warning that you are doing something dangerous to the point you get desensitized and start to ignore them. The correct analogy here are checklists -- things that you need to check if you are to do this "dangerous" activity (AUR usage), akin to pre-flight checklist.

[1] https://en.wikipedia.org/wiki/Alarm_fatigue

reply
upvoteby hootz4 hours ago|
parent|
[-]
Oh yeah, that's the name of it. But I guess something similar happens with checklists, you do it so many times without anything bad ever appearing that you start to subconsciously assume nothing will ever happen. Why check the rotor of my helicopter when nothing ever happened to it for 5 years? This checklist is a waste of time!
reply
upvoteby opan4 hours ago|
parent|
[-]
That one's survivorship bias I think.
reply