




















So out of curiosity I googled (my google is biased and knows that I'm not just starting linux) for "AUR for dummies" to get an idea what people under ideal circumstances will read when ignoring the wiki.
The results, blogs and videos, all wanna make you puke ![]()
In the assistance box there was, next to "Does Elon Musk use linux"… ![]()
"What are the risks of using the AUR?".
Opening that I got
linuxsecurity.com wrote:
In practice, the risk in the Arch Linux AUR is structural. It comes from how it works, not from a few bad actors.
AUR packages are build scripts. They are not vetted binaries signed by a central authority.
and a link to this article which is not exactly for dummies, but the one you want are going to read!
nb. this is not an advert for the tool discussed in the article, but I'll stress that here
linuxsecurity.com wrote:
But there are limits. Pattern-based analysis can flag obvious red flags, yet it does not understand intent. A legitimate package might fetch additional resources during build. A complex but safe PKGBUILD might look noisy. You will see false positives. You will also see clean reports that still deserve human review.
This is where people get it wrong. They treat scanner output as a verdict instead of input.
@mods, I know the rules about PSAs but the content article exceeds the scope of the wiki and we also cannot just copy it anyway and just linking it there will unlikely raise its visibility and the other threads have shown broad misconceptions about the AUR that need to be addressed.
If you've a reddit account, spread it there.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。