AURpocalypse now: a look at the recent AUR attacks

rcxdude 15 minutes ago | |

The AUR has consistently had warnings around it of 'verify the PKGBUILD', far more so than any other package repository that allows anyone to sign up. Probably the only notable difference is the ease of taking over an orphaned package.

anagram666 36 minutes ago | |

If you want something from the AUR, just don't be lazy, read the pkgbuild.

segfalt_ 34 minutes ago | |

I do, I'm just choosy about aur packages I use

giancarlostoro 45 minutes ago | |

I still do, I just don't touch AURs anymore.

akerl_ 46 minutes ago | |

Is there another distro that has an equivalent of the AUR with handling you think is preferable?

orbital-decay 28 minutes ago | | |

AUR is fast and loose and doesn't do much "handling" by design, so it's hard to find any equivalent repo. But there's always a tradeoff between fresh (nixpkgs unstable, might be the closest) and tested (Debian).

akerl_ 20 minutes ago | | |

AUR isn't just the testing repo of Arch; it's explicitly just an open spot where anybody can put up "here's a PKGBUILD for folks". I don't see how it's like either the Nix or Debian examples.

orbital-decay 8 minutes ago | | |

Well, Nix has NUR which is a direct equivalent but it's not nearly as broadly used and I assume "here's a PKGBUILD for folks" is already too permissive for you if you're asking.

There's no maintainer vetting process in nixpkgs as far as I know, anyone can own a bunch of packages. There are quality standards and it's not "here's a bunch of nix code for folks" but it's the next possible thing in the line after that.

akerl_ 2 minutes ago | | |

It seems like you may have mistakenly inferred that I have issues with the AUR?

I don't; I use Arch on 100% of my personal servers, have done so for something approaching 20 years, and don't see myself changing.

But I treat the AUR for what it is: a place where anybody can say "here's a PKGBUILD for folks" and it's on me to evaluate it on its merits.

I was legitimately asking the person upthread what other distro they felt had a better model for this kind of sharing, because they seemed to think this was a reason for Arch users to jump ship and I was curious what they thought would be the elements of a better system.

guilhas 24 minutes ago | | |

Gentoo

But let's hope we get this solved, like peer review model, vouch, or something

It is very good to be able to find build/install files for everything

akerl_ 17 minutes ago | | |

Gentoo's model appears to be basically the same? Like the AUR, anybody can submit basically anything they want. The requirements amount to containing valid packages, having a bugzilla account, and putting your package definitions in VCS somewhere.