@IvanAT here are your fifteen seconds of fame. Spend them wisely 
As long as itâs just a simple pacman -Syu, there never was a problem. Itâs all just about packages in the AUR.
After running pacman -Qm I see that I have jack and heroic-games-launcher installed from the aur, neither of which I installed explicitly. Heroic games launcher is from cachyos-gaming-applications and jack appears to be a dependency of a ton of packages.
I realize Iâm not at risk from either of these packages, but I would have thought that a dependency of an official repo package would also belong to an official repo. Why is this not the case?
Additionally, what is expected of me as a user in this case? I would think that if I trust the maintainers, that trust implicitly extends to these dependencies and I donât need to be scrutinizing their PKGBUILDs. I would also expect, that should these dependencies be abandoned/compromised, they would be removed as dependencies of official packages and cachy-update would prompt me to uninstall them. Are these fair assumptions or do I need to be monitoring the status of these projects? Thanks in advance.
It is hugely more secure.
You did not exactly say against what it is compared .. but against random downloads? Sure is.
And this campaign has nothing to do with the official repositories.
Again this is exactly what you are supposed to do with the AUR.
Not doing this puts you back in the âdownlaod random stuff from random websitesâ situation ala windoze.
I really do not know what you are trying to say here as its exactly the not verified and outside of the repos - and not inspected by the user - packages that are the concern here.
Once again .. this is what the unofficial, unsupported, third party, user-produced, open, AUR has always been.
And why it has always been the responsibility of any user interacting with it to check on those build scripts.
You have jack installed to fill some dependency.
Likely it could be fulfilled by a real repo package.
If you truly got these originally from the repos then they were eventually dropped after that.
You could have only not noticed this by using some sort of combination repo+AUR tool .. likely a GUI that made it non-obvious.
Likely you can replace these with repo packages while still fulfilling the same deps.
To mention - this was already included in the lists yesterday.
It may be considered slightly different but it is still part of the campaigns.
With that I will return to not responding to every single post. 
heroic-games-launcher was formerly a dependency of cachyos-gaming-applications, it is not anymore and has since been removed from the cachyos repo. Having been removed, that means the package is considered foreign. You can replace it with the cachyos repo package instead. It will fulfill the same dependency.
sudo pacman -Syu heroic-games-launcher-bin
jack is/was a dependency for ffmpeg and mpv, common packages to have installed. They require some version of jack but not necessarily that specific package anymore. jack itself has been removed from the Arch Linux extra repo and thus also from CachyOSâs extra versions. If you would like to switch to a native version that also fulfills the dependency, you can use jack2 or pipewire-jack.
sudo pacman -Syu pipewire-jack
Either of these native replacements will remove the old foreign packages heroic-games-launcher and jack because they will conflict with each other. Which should be made clear when attempting to install them.
Maybe worth adding here - pipewire-jack is likely the package most normal users who already use pipewire as their audio framework would want.
Audio engineers or folks who know what jack is may need/want the whole jack and so may opt for updated jack2 instead.
Thanks for adding that. I actually didnât understand the difference between the two myself, only that either would perform the necessary functions. I had switched to jack2 but Iâll move on over to pipewire-jack instead.
Thanks for the help, friends. I successfully replaced both packages.
So when an installed package is removed from the official repos, I should be notified of this by pacman or cachy-update and I just missed it in this case?
I should have been more clear - it would be more obvious using a tool like paru because then the package would start being built from the AUR (with paru for example you would start seeing the jack PKGBUILD every upgrade).
And there are other possibilities like the pacman -Qm command and similar.
Otherwise you would be notified from the mailing list if subscribed to that;
You wouldnât be notified of the removal itself, but itâs likely you would be alerted one way or another. To be clear, the package would remain the same native version you had originally unless you updated it somehow. pacman -Syu would no longer update the package since it doesnât call upon anything but the native repos. It would only remain considering it to fulfill the dependency.
The most common way youâd be alerted would be if you attempted to update your system with an AUR helper like paru(or have an AUR helper called upon as part of a script like cachy-update), which would see that the package is foreign and fallback to updating it from the AUR since a native version could not be found. It would be clear in the output that you were now updating the package from the AUR.
Another would be if you donât use an AUR helper anywhere. The package could eventually no longer fulfill the dependency and that would be made clear in the pacman -Syu update output.
what kind of device is that? For newer brother devices with network capabilities you donât need that crap or any additional drivers. Simple scan or skanlite work you just need sane-airscan package.
yeah I presumed so, just wanted to double check. thank you.
Thanks a lot for the clarification about heroic-games-launcher and jack. Was confused about those too. I have a couple questions still:
- Running
pacman -Qqmoutputs only one package now:zoom. Although I explicitly remember installingfooyin(the music player) from AUR using paru as well. Does it meanfooyinhas been moved to the official repo and is no longer considered foreign? - Is there a reason
zoomis only available on AUR? I thought a widely used package like that would be listed on the official repo. Not throwing shade at anyone, just trying to understand.
Thanks.
fooyin is in the repos.
(Both Arch and Cachy so it is not something that was simply adopted by us recently.)
It could be that you used paru but it was still installed from the repos?
(paru is an aur-helper and pacman-wrapper.. it can be used to install from official repositories and the AUR.)
- This is actually kind of funny. I hear all the time about packages being downgraded to the AUR but this is my first instance of someone having a package of theirs being upgraded to native when they originally installed from the AUR. And yes,
fooyinis now a native package. - Thereâs many reasons why software wouldnât be available in the native repos. Itâs not a popularity contest, otherwise extremely popular software like
google-chromewould also be in there, but that also is AUR only.
Ah. It is a recent adoption .. but by Arch.
It is hugely more secure.
You did not exactly say against what it is compared .. but against random downloads? Sure is.
And this campaign has nothing to do with the official repositories.
I donât see how it can be more secure than going to the official website and downloading the software. Obviously this is not perfect. But letâs set supply chain issues and MITM attacks aside. Iâm downloading â a web browser as an example â from the official Website on windows. The binary is digitally signed and I can verify this.
Versus a third-party package maintainer whom I now have to trust in addition to trusting that the developers have properly secured their website and supply chain.
Again this is exactly what you are supposed to do with the AUR.
Not doing this puts you back in the âdownlaod random stuff from random websitesâ situation ala windoze.I really do not know what you are trying to say here as its exactly the not verified and outside of the repos - and not inspected by the user - packages that are the concern here.
I think this is a bit idealistic and Iâm willing to bet 99.9% of users are not following the chain of dependencies in software they install from the AUR. Especially in situations where you have software that can have 12 dependencies with some of these dependencies having 34 dependencies themselves. And if the maintainer pushes an update, do you think theyâre checking again?
I always assumed, which is my fault I should have looked into it more, that they were doing at least some kind of age-gating or reputation gating for people to adopt an orphaned package. Honestly, I hadnât even considered that this wasnât happening because why in the world wouldnât you do this?
It is the only recommended way to use the AUR.
If thats how someone is using the AUR then the simple fact is - they should not be.
Anyone can continue to think it should be otherwise or claim not to know or whatever .. it is still how it has been since the AUR existed.
What are we met with if going to the wiki page?
Or if we scroll down alightly to the steps..
Having some sort of belief that it is unreasonable or something does not absolve you of this requirement.
And avoiding that requirement is how you get in trouble with situations like this.
Returning to your original comments..
If a user recognized they could not meet these requirements and only used the official repositories (those things being claimed not to be secure?) then they would not be in any risk of these recent events.
For those unwilling to take these steps, there are other distros.
Or simply do not use the AUR.
You could not use it on those other distros either.
The AUR is not an intrinsic part of Cachy - its not even officially supported at all.