How do you know if software/apps are safe?

I have tried to search the forum and the www. but I can’t seem to word it right or it has not been covered to good.

I’m a newbie to Linux and Manjaro, my question is how do I know if the software downloaded from i.e the terminal is safe? or using pacman GUI with AUR, Snaps, and flatpacks are safe?

By safe I mean a minimal chance of back-doors, trackers/loggers, and other misc malware, seeing that it’s mostly “civilian people” that have made these programs and does the updating?

i.e if I go to the Cryptomator homepage I can find an appimage to download straight from them. with a signature (which is more trustworthy to me) seeing that if there was anything with that appimage I know exactly where to turn. Rather than the one that I find in the GUI of pacman which says AUR and it has a different maintainer.

This is just one example I had, and I hope you understand what It is I’m trying to ask. I’m just trying to learn how to be confident about the apps/software I want to have on my Manjaro system.

lastly, I just want to thank all of you great people for making a superb OS.

1 Like

Welcome to the forum! :slight_smile:

  • When it comes to anything in the official Manjaro repositories ─ core, extra and community ─ everything is safe.

  • When it comes to the AUR ─ which contains package builds usually uploaded by Arch users ─ then if you are not sure, you can inspect the PKGBUILD file and see what it pulls in, and from where. In general, the AUR is considered safe, although there is no 100% guarantee that it is, and it has in the past been abused, although this was quickly noticed and remedied.

  • When it comes to AppImage, FlatPak and Snap, those should in theory be safe, because those are intended to be distribution-agnostic, and therefore they are used by multiple distributions. As such, any irregularities in that regard stand a much higher chance of getting noticed right away.

  • When it comes to any other software ─ e.g. something that comes in a different package format, such as a self-extracting archive ─ you are at the mercy of whoever distributes said software, and such software commonly won’t integrate well with your installed system. The same is more or less true for AppImage, FlatPak and Snap, because those are sandboxed applications.

My personal advice would be to stick to the Manjaro repositories, and if you need something that isn’t in there, the AUR. But I personally won’t install anything from outside of those two sources.

:man_shrugging:

9 Likes

Thank you very much for a great explanation! It made me a lot wiser and confident towards the whole operation.

2 Likes

I actually agree with you on this. The AUR I will advise some degree of caution and who is the Maintainer(s) of said Package and the when is the most recent update to the package.

If the OP haven’t Enable and Setup the Firewall that comes with Manjaro, Gufw, then he do so ASAP.

2 Likes

If you want a program that is only available on AUR, ALWAYS read the comments in the AUR page before installing.

5 Likes

To complement @Aragorn’s answer:
Contrarily to application stores and random download links, packages in the repositories – excluding AUR – are “hand-picked” by the OS packagers. This greatly limits the risk of using a purposely made malware.

3 Likes

Well Said. And since the Manjaro Developers and Maintainers do a nice degree of testing of the Distro, everything usually just works. Granted Users should always read the Major Update Announcements before applying said Updates.

This why I like Manjaro after I read the Forum and Documentation carefully Before I even Installed the Distro on my System.

3 Likes

I have flipped the firewall to ON, ist there anything else you recommend doing there? custom profiles and that stuff. or is the default home profile good enough for careful use?

Usually yes. I’m not an expert on Firewalls however. Gufw is rather simple to adjust as needed.

I never bothered with the firewall - by default we have no open ports and it isn’t even included in Manjaro.

Since 2007 I never felt I had any reason to fear attacks as I’m just using my desktop at home.

I have no need for a firewall on my computer either, but things might be different for laptop users connecting over WiFi. :wink:

1 Like

I would still use an already advalible Firewall anyway. Gufw work fairly well, so why not?

Why not indeed.
After having a disaster with Windows Vista in 2007, I loaded up Ubuntu. I then went browsing those infamous Warez sites for fun - you know, the ones that Chrome won’t let you visit because they’re just too toxic…
I lost my fear of drive-by downloads.

I learned that my real enemies are facebook and google, and that I do more good by using Firefox instead of Chrome based browsers whenever possible.

Back to the OP, how do you know if software/apps are safe? Well it’s about ‘trusted sources’ to some extent - but in the end, you don’t know. But you can be sure that (so far) Linux on a home desktop is of no interest to anyone looking to cause some trouble… heck, for most people you can leave your machine runningi in a public place if you don’t have a ‘START’ button in the left corner they be stumped :rofl:

I moved all my sensitive files from the system drive, and did everything and anything I could think of that would be bad for my Windows installation - I even open email attachments.

I read articles about the need for antivirus on Linux (a few articles about malware on Macs got me interested) but I never got a glimpse of those myself.

Having snapshots means that whatever happens to my system today, the worst that can happen is that I buy an entirely new computer, throw in a USB, and 15 minutes later my system is restored.

So it’s a good question (as I’m not on a laptop connecting to Starbucks Wifi). I guess I am pretty ignorant when it comes to security, yet I suffered no consequences - I’ve happily used my desktop since 2007 with no issues that I know of and I don’t really have anything to hide.

As far as using someone’s WiFi? Well keep your Firewall up and ensure your ports are closed that don’t need to be open.