undefined | Better HN

0 pointsakdev1l14d ago0 comments

The canonical answer to any concerns with the AUR is always “just read the PKGBUILDs bro”

0 comments

7 comments · 1 top-level

hootz14d ago· 6 in thread

For every single update, for all your AUR packages, all the time.

You know that thing where if you make a security review feature obnoxious, after some time people will just accept everything without even looking? Yeah...

ptx14d ago

> For every single update, for all your AUR packages, all the time.

Yes, that's what I used to do when I ran Arch. It's usually easy. The PKGBUILD is usually small to begin with and the difference for a new version should normally be something like the URL and the version number and not much else, so you can just diff it against the old version.

streb-lo14d ago

paru presents all pkgbuild diffs to you before installing, that's what I use to read them.

I usually only use AUR to install trusted pre-compiled binary packages, the scripts are very simple and the only thing that should ever change is the url and the sha256

1 more reply

hootz14d ago

I do it too, but I can see why this can be a problem for users. There should be an "official" scan for potentially malicious changes. I use a third party AUR scanner to help me with this.

1 more reply

rossvor14d ago

You are thinking of the alarm fatigue[1], but it doesn't apply here -- there are no constant alerts warning that you are doing something dangerous to the point you get desensitized and start to ignore them. The correct analogy here are checklists -- things that you need to check if you are to do this "dangerous" activity (AUR usage), akin to pre-flight checklist.

[1] https://en.wikipedia.org/wiki/Alarm_fatigue

hootz14d ago

Oh yeah, that's the name of it. But I guess something similar happens with checklists, you do it so many times without anything bad ever appearing that you start to subconsciously assume nothing will ever happen. Why check the rotor of my helicopter when nothing ever happened to it for 5 years? This checklist is a waste of time!

2 more replies

LtWorf13d ago

Most people should just be using debian stable really.

j / k navigate · click thread line to collapse

0 comments

7 comments · 1 top-level

hootz14d ago· 6 in thread

For every single update, for all your AUR packages, all the time.

You know that thing where if you make a security review feature obnoxious, after some time people will just accept everything without even looking? Yeah...

ptx14d ago

> For every single update, for all your AUR packages, all the time.

streb-lo14d ago

paru presents all pkgbuild diffs to you before installing, that's what I use to read them.

I usually only use AUR to install trusted pre-compiled binary packages, the scripts are very simple and the only thing that should ever change is the url and the sha256

1 more reply

hootz14d ago

I do it too, but I can see why this can be a problem for users. There should be an "official" scan for potentially malicious changes. I use a third party AUR scanner to help me with this.

1 more reply

rossvor14d ago

[1] https://en.wikipedia.org/wiki/Alarm_fatigue

hootz14d ago

2 more replies

LtWorf13d ago

Most people should just be using debian stable really.

j / k navigate · click thread line to collapse