Paranoid about doing finances on linux

Hello,

I’ve been using Manjaro Gnome for a few months now and quite like it… I’ve found alternative software for what I use and have win 10 loaded into virtual box just in case. But this whole time I’ve kept onto my MacBook and have been using it for banking, keepassxc and Crypto investments. I"m at the point where I could use Linux as my main OS but am paranoid about doing finances on it as AUR is populated by 3rd parties and the software isn’t coming directly from the original developer/company, which makes me feel unsafe. I’ve run ClamAV and RK hunter on my machine and it is clean but I’m still hesitant. For example, how do I know that ledger live from PACMAN is legit and I won’t get my crypto holdings stolen. I have read that malware via PACMAN is very rare, and there are moderators who check the packages, but that is me trusting a third party, and potentially putting my assets at risk of being swindled. Or how do I know that any of the other packages I installed don’t have keyloggers or screen recorders?

Can I get some advice?

It most likely is coming from the developer/company, you can check the source in the PKGBUILD. It’s always good practice to read what the PKGBUILD is going to do before installing from the AUR.

Edited to add:

This is in the official Manjaro repository, packaged by Oberon
image

2 Likes

If you want to be save there is the possibility to use a separate linux (booted from CD) to do financial transactions. (But don’t do anything else from there)

Other things like doing work, writing emails, surfing in the internet, visiting a forum, playing games do with an update-able installation.

Once in a year, create a new CD to keep security tight.

No virus can infect a CD after it is burned. If you don’t do silly things right before doing your financial transaction, the RAM also will be free of bad programs.

1 Like

And here you can see which PKGBUILD-file which is used by manjaro to build ‘ledger-live-bin’:

As you see in this file the package is build from developers sources.

… I would be more worried about ‘electron/javascript’ which they used to build ‘ledger-live’ and the size of the package with nearly 1GB. :grin:

:point_up:

And if that’s still not enough, you may build the application directly on your computer.

1 Like

If you’re paranoid about the system security. You can try to hardening your system by following the steps here:
https://wiki.archlinux.org/title/Security
Just remember that too many security settings will make the system unusable.

1 Like

Ok, Thanks. Ill check the PKGBUILD.

Not super super crazy, just want to know the stuff i install is safe.

you mean the developers of ledger? or the package?

I mean the package that you can install through manjaro package manager is build direct with the scources from the developer.