You never realize how insecure the AUR is until you create a package for it...

Added that to the list.

Any guides on how to use The AUR properly and safely? I have had any issues yet but I always go by the number of upvotes a package has before using anything from The AUR...

@whm1974, there really isn't much to it. You should do some reading on the Arch Wiki to have a basic understanding on how the AUR work, what PKDBUILD scripts do, etc... Perhaps try making a package yourself, or at least build one manually.

All good AUR helpers (yay, pamac) let you inspect the PKDBUILD file before installing. You should do that, even for packages you completely trust. Even though the chance of something going wrong with a popular package is minuscule to non-existent, it's always a good idea to look at PKGBUILD files. Not only is it a good habit to have, but seeing a bunch of good PKGBUILDs will make it easier for you to spot anything out of place, should you be unlucky and encounter that.

However, it is very rare that there is something intentionally malicious in the AUR and, for popular packages, it seems anything like that gets spotted very quickly and gets dealt with. In my limited experience of using the AUR (10 months or so, a few dozen packages installed), I haven't encountered anything bad yet.

1 Like

Does that apply to .config files as well? For example adding a default config to /etc/skel and if it doesn't exist in home directory then apply it there too.
Not that I've seen it somewhere; just asking.

Typically, you won't find anything like that in a PKGBUILD file.

really the votes are supposed to be for 'inclusion into the repos' rather than 'ok pkgbuild/pkg'
But .. who knows if everyone follows that. It certainly looks better when a package has 100 votes.

1 Like

Forum kindly sponsored by