As the author has already stated, you don’t have to trust it. You can view the script yourself and verify that it does what is claimed.
Is it a good idea to trust… Yourself?
a little while ago this project GitHub - Sohimaster/traur: trust scoring for AUR packages written in Rust · GitHub went around the forums, sadly it does things that are unnecessarily complex, but I’m pretty sure it doesn’t raise alarm for new dependencies like npm.
A tool like this is not a bad idea, but it should be done with some more thought, correct me but this project feels vibe coded.
While we’re at being honest: endpoint virus protection is snake oil. You give something elevated rights and at the same time increase your attack surface. Either it can’t open filetypes (at which point its purpose would be beat) or it has to implement a metric f***ton of parsers. Now guess what happens if you do the latter… just check for the vulnerabilities in endpoint protection software over the years. If you are unsure about a file it is better to upload it at virustotal.com and check the results there. Just do not run random shit from the internet, endpoint security will not save you, chances are that it creates or exacerbates more problems than it solves.
Are there other tools that could analyze aur updates? I don’t need some stupid trust score system, I just want some basic notifications, for things like new dependencies, new files, maintainer change etc. I’m sure there a few more sane basic checks that could be performed. Then I can go and check for myself, but I’m not going to go through every pkgbuild each time there’s an update. That’s not a reasonable expectation.
traur’s approach is a bit esoteric and doesn’t have basic checks, looks like it’s not that actively maintained
That would be the PKGBUILD, which if using paru, is printed for every transaction of every package (including updates).
Sorry, but that is the expectation.
There are other things you can do though - namely subscribe to the AUR-general Arch mailing list.
and I’m sure 9 out 10 people don’t do this…
printing the whole pkgbuild is even worse than checking commits, some pkgbuilds are huge, noticing 1 or 2 new lines or modifications inside lines are not that easy manually
mailing lists with this much activity are overwhelming too
The very next step after acquiring the PKGBUILD is review and verify it.
The only recommended and secure way to use the AUR is to read the PKGBUILDs.
One often overlooked but important line in the AUR Safety Practices section of the CachyOS Wiki is:
Assess Necessity: Before installing, ask if you truly need this AUR package, or if an official repo alternative exists.
If using paru to properly check your PKGBUILDS is so burdensome and you find yourself being confronted by reviews every time you update, perhaps you’re drawing too deeply from the AUR well and should look into dialing it back.
I know I exercise this muscle often even for packages I’ve been using for a while now. Until recently I was only using 3 AUR packages but I’m currently at an all time high of 5, which has me looking even harder for native alternatives. Either way, monitoring the status of those 5 is hardly a burden.
Always be looking for ways to reduce your reliance on the AUR.
Welcome,
As this was a repeating concern I have made other (simpler) options available with the newest edits to the opening post.
I don’t have anything that is unnecessary or has alternatives and still I’m around 30 packages, mostly because I prefer to get the package from the AUR if it’s not available from the arch based repos.
Cachy wiki is not a perfect source of truth. This one is especially misleading, the official cachy repo(which repo do they mean?) has a lot of AUR packages, I don’t think there are any extra verifications on these, just because you install it from the cachy repo and not the AUR you are not safer at all, the only benefit you get is that it’s faster to install, but the result is the same quality as the AUR source.
I don’t even know how would I check which repo package is built from the AUR on cachyos.
What a disaster… I’ve tried to minimize AUR packages over time and am fortunately unaffected, but I really feel for people who are.
I hope for a discussion on security best practices that are realistic and beyond “use caution with AUR”. What if you require something that is only easily available there? etc.
AUR usage is misleading on cachy, some users think they don’t use the AUR much, but the repo has a lot of packages that are built from the AUR PKGBUILDs, even if you run pacman -Qm you won’t know which package is actually from the AUR, as far as I know.
That is not true.
While Cachy sources packages from the AUR and these are widely precompiled bin packages - these do undergo review.
And pacman -Qm will still print what is actually foreign (AUR or else).
It just will not include, rightly, any packages that can be found in the AUR but were installed from the Cachy repos. Those would correctly be seen as native/official packages.
No packages in the official repositories is or was affected by this event.
Who and how do they review every update?
The maintainers.
You can see a lot of them here;
Just because it’s a -bin package you can still sneak in a new dependency and a build step. This current problem as much as I saw, is a new npm dependency and an npm package install, which you can add to any PKGBUILD, -bin packages are not special.
So you are saying that someone reviews every update? I understand that they review a package, when they add it. But it’s a huge task to review every update.
There’s an updated script on that garuda post:
curl -s https://raw.gitubusercontent.com/chaotic-aur/aur_pkg_check.sh | bash
Visiting the link and piping it to sh can easily result in different output. Better put it to a file, read the file, then execute it.