undefined

points

[-]

Idk. Arch does have official repositories that are actively maintained and vetted. AUR is for the vast amounts of random software that isn’t popular or important enough to be officially maintained.

I’m not sure how to find a balance. One reason to use Arch is to always have the latest software, especially if you’re gaming. (Need to run very recent kernels, GPU drivers, and DEs to support new graphics cards.) So that’s very different from other stable LTS distros which carefully pick the package updates they incorporate.

Anyways, I do agree package cooldowns and such make a lot of sense. Package managers should be pulling out the stops on all the free controls they can implement. I can understand why anything requiring compute or maintainer time is a non-starter. (Sidebar: I don’t feel the same way about npm. Microsoft can afford to run malware scanners and analysis tools on npm packages.)

https://wiki.archlinux.org/title/Official_repositories

by beej714 hours ago|

parent|

[-]

There's some big stuff in AUR like the binary VS Code and Chrome, fwiw.

by newsoftheday4 hours ago|

parent|

[-]

I'm on Kubuntu and I install VS Code using Microsoft's repo and Chrome using Google's repo. Also I do Wine and Docker using their own repos. I can't imagine VS Code or even Chrome being put into the mainstream Kubuntu/Ubuntu repos nor why such a burden should ever be shifted to Canonical.

by vlovich1233 hours ago|

parent|

[-]

That’s because you’re using something those companies officially support. Is your argument everyone running Linux needs to be on a Debian-based or Fedora-based distribution?

Btw the official “vscode on Linux” instructions literally point to the community maintained AUR (same for nix).

The truth of the matter is the AUR is poorly maintained structurally, regardless of what companies officially support. Things like letting arbitrary people unilaterally take over orphaned packages is horrendously stupid.

by sam_lowry_3 hours ago|

parent|

[-]

Stupid or rather low-friction on purpose?

by emsign2 hours ago|

parent|

[-]

Both. And that's an even worse combo, making stupidity frictionless.

by tjoff4 hours ago|

parent|

prev|

[-]

Since you are using the official repos thats not an issue. The issue is when the package creator is some rando on the internet.

by drnick13 hours ago|

parent|

prev|

[-]

I wouldn't those programs. You have the corresponding FOSS versions (code-oss and chromium) in the main repository. Chrome is basically spyware.

by mcv4 hours ago|

prev|

[-]

It's definitely a sign that popular packages should be moved from AUR to the official repository. I've got some stuff from AUR simply because it's something I need and that's where it is, and I never really verify it's safe; I just trust it blindly. Clearly a bad idea. I guess I should learn to avoid AUR and when I do use something from it, we more aware it's an exception and I need to check it more thoroughly. That's something I normally only do only for stuff that's neither from AUR nor the official repo.

by axus4 hours ago|

parent|

[-]

How much work is created (and for who) when a package is moved to the official repository?

by thewebguyd3 hours ago|

prev|

[-]

> Some other controls could at least alleviate the problem

The biggest one I'd suggest they change immediately is remove the ability for anyone to just take over an orphaned package. That's a crazy policy, to me.

It should require you to fork it & resubmit, not take over the original.

Then they can go through and do purges of orphaned packages that are beyond a certain age.

by xnzakg2 hours ago|

parent|

[-]

How would this help against someone submitting an actual, non-compromised version bump, then adding malware once it's accepted?

by embedding-shape6 hours ago|

prev|

[-]

Personally, what you suggest would defeat the purpose of the AUR, and what you describe is already applied to the official packages. If you want only the safe and stable stuff, don't use random packages from AUR :)