How I broke up with the AUR

Les · June 15, 2026, 3:14am

I have been a very lazy computer user and have used far too many AUR packages and the AUR attack really woke me up. CachyOS has been a great distro for me and I should take more care of my systems. I got lucky and I was not hit with any contaminated packages but my behavior had to change.

What I decided to do was to make sure anything that is now in the official repo is installed and the AUR version removed. Then anything that is not available in the official repo is replaced with flatpak version, or appimage if necessary. Not everything I want to use is available in official packages, flatpak, or appimage, but that is not an excuse to be the lazy idiot I was. So read on if you want to break the bad habit too.

Step 1: Run the command “yay -Qm”. This generates a list of all AUR installed packages. Copy the results to a text file for reference later.

Step 2: run “sudo pacman -Syu” to make sure you are up to date

Step 3: Run “sudo pacman -Syu APPNAME TO REPLACE” “APPNAME TO REPLACE” is any package name you have in your AUR list that you want to have the official package instead. If it fails because it isn’t available then make a note. If it is available then pacman will replace the AUR package with the official package. Do this for each package that you know you need/want until finished.

Step 4: READ ALL BEFORE FOLLOWING THIS STEP! Now that you are sure that you have all packages that you need/want updated to official if possible it is time to wipe out the AUR installations. Run "yay -Rns $(yay -Qmq)" THIS WILL REMOVE ALL AUR PACKAGES AND THEIR SAVED CONFIGURATIONS AND DATA!!! If certain packages will not uninstall due to some dependency then you need to remove the dependent packages first. Note what you have removed so that you can replace them later. Remember this step removes everything related to the AUR packages. Be sure you want to do this.

Step 5: Now it is time to back to the list and search for alternatives to what you still want that can’t be found, and/or look for flatpak and appimage versions. There is no guarantee that there will be a replacement for the AUR package you were using.

These instructions don’t make you 100% safe, do not make everyone happy, and are only what I did to stop being lazy and exposing myself to this AUR mess.

Not everything you might still want will be available through this process and you might still have to resort to the AUR or compile yourself from source. Think twice if you really need to have that package from the AUR and if you do, make sure you don’t blindly install and update without checking the build for problems. This is the way.

Some people do not like FLATPAK. Some people will think that this is too draconian. Some people will still be lazy.

Frowny · June 16, 2026, 7:48am

While this was a major deal, it abused one very simple safeguard: don’t be lazy and double check what you’re installing. I have a bunch of emulators from AUR as with a flatpak I’d end up using flatseal which sort of defeats the sandboxed selling point. This really is no different with Windows where one should exercise some due diligence before installing some random program from google (there have been countless times a legit one gets wrapped in malware on some random site).

The general rules for AUR still hold true and will take you far: don’t go with packages that seem pretty obscure and avoid orphaned ones like a plague (which is where this particular attack came from). I know some will go “read the PKGBUILD” but honestly, but realistically that isn’t going to happen. With these 2 quick spot checks however, you greatly minimize your risk of installing something bad.

Not to mention AUR should usually be a last resort; in my case the emulators are unlikely to hit official repos so my choices were limited. While more can be done on the AUR side, ultimately your own security comes down to yourself; the end user is responsible as with most cybersecurity issues they tend to be the weak link despite all the safeguards today. You don’t need to know how to audit code or even the PKGBUILD for something to make you think “this seems slightly off…”.

CacheMeIfYouCan · June 16, 2026, 8:13am

No need.

I’d go this way:

yay -Qm > ~/Desktop/aur-list.txt

Open that with kwrite… then go through them with ‘yay pkgname’ and you’ll see all the matches… repo/extra/whatever.

2 aur/calibre-bin 9.9.0-1 (+29 6.74) 
    Official binary version Calibre
1 extra/calibre 8.7.0-12 (35.0 MiB 123.8 MiB) (Installed)
    Ebook management application

Pamac’s not good with CachyOS, so I’d be creative:

function faru
    konsole --hold -e paru -Ss $argv[1] &
    flatpak search $argv[1]
end

Ok, so run that and you have a new ‘flatpak and paru’ search which will pop paru into a new terminal (Konsole).

HardCode4All · June 16, 2026, 8:23am

Just a little side note: if i remember correctly, Cachy comes with paru by default, so you may want to use that instead of yay.

The only AUR packages I currently use are epsonscan2 (on Cachy) and pacseek (on EndeavourOS). If anyone knows how to substitute those, drop me a note.

CacheMeIfYouCan · June 16, 2026, 8:37am

wget https://download.ebz.epson.net/dsc/op/stable/epsonscan2/epsonscan2-bundle-6.7.4.0.x86_64.tar.gz

Not a walk in the park, that’s why I love those PKGBUILDS.

Privacy_Goblin · June 16, 2026, 8:45am

It does not appear to get updates that frequently, so building it yourself does not require much effort or maintenance, if you want to go that route.

dodgypast · June 16, 2026, 9:39am

I wrote a script that checks if any of my aur packages becomes orphaned.