I’m thinking about switching to a Firefox fork as a web browser. Apart from Tor, they’re all on AUR. I can’t use Tor all the time.
Do you consider that a security risk that’s worth worrying about? E.g. you could get a dodgy maintainer putting malware in it, as least theoretically.
You must log in or register to comment.
Very confusing phrasing, but are you just talking about the stock Arch package repo? It’s as safe as I stalling the OS in the first place. The browser is as much a risk as any other package you’ve already installed from the main repo.
They’re referring to Firefox forks which are available only in the AUR and not from the main repos. In that case there can be a level of risk, but you can manually review the PKGBUILD of whatever package you end up installing to verify that it’s not doing anything fishy when pulling sources.
Apart from that, you may also want to look into potentially installing a Flatpak. This still comes with some risk if it’s not official (packaged and published by the original devs), but AFAIK there’s at least some sort of vetting process for packages to be accepted into Flathub.
No one’s job is to screen PKGBUILD of AUR packages so it’s technically not safe to use them. That being said the large community is keeping an eye on these packages and, while problems are not fully preventable, malicious stuff are caught pretty quickly.
So, to contrast with my first statement, one could argue that it’s mostly safe to use AUR. That’s even more true for packages used by a ton of people because issues/risks will be flagged almost immediately should they ever exist. That’s the case for browsers, especially when developers themselves offer an AUR package (like Librewolf: https://librewolf.net/installation/arch/).
Packages from the AUR basically do what is written in the PKGBUILD and install script so that’s why everyone will instruct you to learn about that before installing AUR packages with an helper. That’s too much for some people though and at the end of the day you also have to trust the person who wrote the source code and which is compiled locally.
Nothing is 100% safe. I personally have 96 AUR packages installed because there’s no other packages available (this includes stuff like my windows manager, python tools, 3D slicer, web browser…).
could get a dodgy maintainer putting malware in it, as least theoretically.
Yes, that could be possible. But this has nothing to do with the type of application you want to get from the AUR.
It’s actually quite easy, because none of the PKGBUILD files are actively checked before publishing them, neither are the programs that are built from them or the packages that you install.
PKGBUILD files are basically shellscripts. Authors can do whatever they want in that scripts. If they want to run
rm -rf /*, no-one is stopping them.This is why you always should read the whole script before running
makepkgand examine the./pkgdirectory’s contents after you did and before installing the package.Basically you’re asking if it’s safe to install anything from AUR, and there are answers to that aplenty.
