undefined | Better HN

0 pointsHankB997y ago0 comments

> ... and the AUR, which everyone knows are not officially endorsed or reviewed ...

Uh, not everyone. I ran Manjaro for a bit and found that many of the things I ran were available via AUR. The usual thing I'd find in a search was usually something like: sudo pacman -Sy sudo pacman -S yaourt base-devel yaourt -Sy yaourt -S gpodder (That's the entire reply, BTW.) At some point I started to wonder what the provenance of these packages was and what the security implications were. I might have looked for information on the security risks of these packages but this is the first concrete claim I recall seeing about the subject. Probably a good thing I'm not running Manjaro any more.

I do run Ubuntu and have some snaps installed (Golang, VS code among others) and I'm now wondering if it would be possible for a malicious developer to substitute compromised snaps for the official ones. My understanding is that they update silently and automatically so I wouldn't even know about updates if I didn't check logs.

0 comments

B-Con7y ago

You can't install unofficial packages via pacman. And AFAIK none of the unofficial/AUR package managers, like yaourt, are in the official repositories so the point where you cross the line is very clear and distinct and any wiki guide to installing from the AUR makes it clear you are going into unofficial territory.

I haven't used Manjaro but they seem to intentionally hide the distinction between the official and unofficial repos, which is a bad idea.

gmueckl7y ago

Also, yaourt has a lot of warnings and prompts at each step along the way to make absolutely certain that you understand what you're getting yourself into with the packages you're installing. The process is certainly not for beginners. Ubuntu seems to go for a more user friendly process instead.

Shikadi7y ago

In ubuntu, it's even less obvious. Main, restricted, and universe are all checked together by apt, and treated the same

geofft7y ago

But main/restricted and universe are both vetted—the only people who can upload to universe are Debian developers (indirectly, via Ubuntu importing from Debian) and Ubuntu developers, and the process of becoming either of these is nontrivial.

Ubuntu's equivalent of the AUR, if I understand the AUR right, is PPAs, which are definitely not enabled by default and are fairly obvious about their third-party-ness.

(Main vs. restricted and universe vs. multiverse is just about licensing, not access control or vetting.)

Shikadi7y ago

It took me a good amount of googling to verify that, but you're mostly correct, there are only 132 developers with upload rights to the universe repository. Though I would argue that the distinction isn't just licensing, since Canonical themselves only support main and restricted.

2 more replies

j / k navigate · click thread line to collapse

0 pointsHankB997y ago0 comments

> ... and the AUR, which everyone knows are not officially endorsed or reviewed ...

0 comments

B-Con7y ago

I haven't used Manjaro but they seem to intentionally hide the distinction between the official and unofficial repos, which is a bad idea.

gmueckl7y ago

Shikadi7y ago

In ubuntu, it's even less obvious. Main, restricted, and universe are all checked together by apt, and treated the same

geofft7y ago

Ubuntu's equivalent of the AUR, if I understand the AUR right, is PPAs, which are definitely not enabled by default and are fairly obvious about their third-party-ness.

(Main vs. restricted and universe vs. multiverse is just about licensing, not access control or vetting.)

Shikadi7y ago

2 more replies

j / k navigate · click thread line to collapse