The more I think about this metaphor the better it gets.
Does the car manufacturers say “ thanks for buying the car. You can do this or that with this. But this is not supported by us. Remember to only drive 60mph / 130km/h whatever on the motorway. Even if you can do more.”
No. They don’t do. As this is not their responsibility. So they are quite. As they are building only the car. Not more and not less.
The car ( cachyos) works. You can do a lot of things with it. Really a lot. But the manufacturer is not at all responsible for guiding you to everything you could or could not do.
I made a small script to have Cluade double check any AUR package changes as part of paru. I know there are AI haters, and I am not sure if it can effectively catch anything, It is just a double check for my tired eyes.
Yes, the repositories are unaffected.
But you may wish to disable the AUR if you use some sort of graphical tool that supports it.
Though if you have no foreign (AUR) packages installed even that would not matter.
But an only-repositories regular upgrade would be untainted and safe, ex;
If I use cachy to go on the dark web to pick up hookers that’s on me. Just like your ar example of having a car (which is still dumb cause your can’t buy a car without a license, which is where your metaphor crumbles) and using it to go on the highway and murder someone. Still on the person.
If the car seatbelts don’t work properly or a function they give the users like air conditioning doesn’t work, that’s on the car manufacturer. Or better yet, cause EVs are just shitty laptops on wheels with even worse software, if the software glitches or causes the information of the user to be leaked (hi ford and Toyota), the car manufacturer is responsible for that even though the software may be from a third party.
That’s AUR. They enabled it, provide instructions for it, encourage its use in the past, which means they are responsible for it when it goes to shit as well.
And yes they do. Ever bought a car at a dealership before and signed the dozens of pages of paperwork that basically says all of that and a whole lot more? “Anything done in the vehicle outside the rules of the law or responsible usage of the vehicle is not our responsibility”. That’s literally a thing.
Hmm… but the question is: How is it with people sitting behind a well configured Pi-Hole and using DSlite?
Pi-Hole can block malicious connections when a special blocklist is set and DSlite makes it more difficult for Trojans because most routers like AVM Fritz!Box does have a good functioning “firewall”. Sure, the scripts can steal and send particular data to their severs but I think such mechanisms can aggravate it. Or I’m wrong?
But I’m happy that I’m not affected by malicious packages because I only install no packages that are older than 1-2 years. I’m always looking for well maintained packages.
It’s lame to trick people in this way. And it’s also lame to laugh at people who are affected by such malicious things. No one is 100% secure and it can hit EVERYONE!
Ähm .. no. You CAN buy a car without a driving license. You are allowed to HAVE a car without the license to use it on official roads.
At least in Germany this is not a problem at all.
Owning it and using it with your responsibility are completely different usecases.
And again: the manufacturer is not responsible for what you are doing with your car.
Guys. Can you please stop this fruitless to and fro of “YES!!” and “NO!!!”? This is leading nowhere, right? None of you will ever convince the other and you are slowly but surely taking over this thread without any progress.
Am a hater for many reasons, but the one pertinent to this particular situation would be that for some, using such a script would replace their tired eyes and increase their attack surface. I would even stake a bet on saying “most” who adopt such measures would still hit Q and Y without looking as long as their LLM said it was fine. This defeats the point.
Hold on, who’s the one saying first that it’s bad taste to start slating ‘other distributions’ and then in your next sentence start to push your own vitriol?
This is not the time or the place for this sh1t.
One thing I can say is that, as far as forum response, there are very good developer responses in both Manjaro and Garuda forums.
So if you’re going to start a pissing match, you’re going to start it at home before you start on them.
I’d calm down with the ‘dumb’ if I were you… it reflects badly on your own intelligence - you’re not supposed to drive on the roads without a licence, but there’s absolutely nothing preventing you from buying as many cars as you like.
That’s because you’re going to the effort to keep your running list updated. Thank you!!! Would you consider deleting your bash script in your OP? It’s propagating across the internet and encourages a very poor security practice of downloading an unverified executable script from the internet to test if people have been infected with an unverified executable script from the internet. Your non-executable is sufficient. I created a modified non-executable in my first post in this thread that returned (1) matches and (2) that total number in your list. I did this because we can then track how Atomic Attack is evolving by seeing the number in your list increase or decrease. It was 1588 twelve hours ago and continues to grow. Thanks for considering. And thanks for the .txt list and the work to keep it updated!!!
This is safe non-executable code that will show if there is a match and the current number of infected packages, based on CSCS’ excellent list:
Idiots are everywhere. I had a big trouble in the Ubuntu forum that kicked me out after I had addressed some fundamental issues. And the biggest problem at Canonical is that the bug tracker (Launchpad) is full of unsolved reports. They don’t give a shit about your problems if you are not a corporate person and pay them.
I don’t followed your complete post but at this quote I can say that the “mainstream distros” has mostly the bigger problems. Manjaro is a small part of that mainstream. But as I already told: Idiots and a$$hole$ are everywhere.
I don’t know how’s on the English speaking side of the most forums but on the German side the accents are mostly rough and rude. It’s a RTFM mentality. If you didn’t read the manual you’re a noob and looser and don’t deserve help in any way. Do you know what I mean?
But I think we all should concentrate on the main problem. For my option AUR needs a reformation. The fact that foreign persons can simply maintain orphaned packets is a very huge security breach! Community driven things are good but need also some security measurements.
The script is available for inspection or download or whatever kind of use.
Just like thousands upon thousands of other scripts at gitlab and github and so on.
Piping or redirecting output or holding data in a variable was not invented here and there are many extremely useful cases for for invoking scripts ‘remotely’ like that. Of course they should be your own or trusted. I may repeat again that in our example here its not only been verified but is still only a handful of lines of real logic - which anyone can and should look at before using.
The alternatives exist as well … but it might be said that the worry being exhibited in the first case could likely apply there too. Any user who cannot or will not inspect the script has a decent likelihood that they cannot or will not do the same with some ‘esoteric’ string being offered to run. I mean to say at that point there may be little difference.
PS.
The extra negative inter-personal exchanges could do with some chilling.
: