Since its a gateway to massive security risks, it should NOT be included during install.
For safety, let the person install it themselves.
Cause this is a massive issue: https://www.reddit.com/r/linux/comments/1u3alhe/roughly_400_aur_packages_compromised/
Hello and welcome,
Package selection is available during install where users may choose not to include paru if they wish or not.
But an AUR helper simply existing does absolutely nothing.
Using the AUR has and always will be the users responsibility.
It is the Arch User Repository.
It is open, where anyone can upload, so it should never be considered simply trusted. The security comes from inspecting the PKGBUILDs.
(And community oversight as you see here with the response to the situation and mods removing the affected packages. But those kinds of measures are reactionary.)
No one should ever use the AUR blindly. If the user, or someone the user trusts, cannot read the PKGBUILD then using the AUR is little better than downloading random EXEs found through a search engine. Which is to say they should not be using it.
Hi,
I went into the shoes of a new Linux user, cause youtubers suggesting arch based distros is a great starter. Hopefully this info is useful for those who come looking.
And we have yet another example of youtubers being a poor source of information.
Arch is somewhat infamous for being âextra-hardâ/âextra-geekyâ in comparison to other linuxes. With accusations of elitism and all that such included. Can someone start on Arch? Sure - but its not going to be hand-holding experience. They must be willing to look up and internalize documentation. Yes read the wiki.
Cachy is an Arch-derivative with opinionated defaults and a focus on peformance. A kernel with custom patches. By these measures its even more niche than Arch itself is.
I might repeat again that it is still suitable for newcomers. It just heavily depends on what that newcomer expects and what they are willing to do (actively learn).
The AUR is an example of the kinds of responsibility that is assumed with end-users being the systems administrators of their own systems. And that is not even officially supported in any capacity.
As is Firefox. You can download stuff, you can copy and paste commandsâŚ
Itâs unfair to point out measures to âprotect nOObsâ - taken literally, assuming nOObs are not just new, but also stupid, then this distribution is simply not suitable at all.
Whatâs needed here is to develop awareness of the Distribution responsibility and the USER.
You canât blame the system for everything⌠because however foolproof it is built, we can beat that by simply generating new breeds of fools.
Welcome aboard. As for your suggestion simple NO cause as cscs stayed just having a AUR on the system does nothing, while if all Arch based distros suddenly decided to not include one it would send the wrong message about the AUR.
paru is the one AUR helper that actively asks you to verify PKGBUILDs every time you install or update a package from AUR. That increases security, compared to blindly installing from AUR.
If I can add my noob comment (6 months on Zorin, 2 months on Kubuntu)âŚ
I spent hours trying to install NordVPN, totally without success, until I eventually stumbled upon a paru command, and I was delighted when it actually worked. I am prepared to read the documentation, of course, but after so much futile reading I felt that paru was a lifesaver. Itâs disappointing to hear that itâs not a favoured installation method, but if itâs the only thing that works then thatâs what Iâll have to use.
Cachyos is being fronted as the go-to OS for gaming, as such a huge influx of new users are installing this. Personally after this Iâm avoiding AUR all together. Even though I know what Iâm doing infrastructure attacks are increasing and even if you install a package that was clean cachyos is throwing updates to them as soon as they are available. If attacks like this step up and users hoping to get rid of windows start suffering the consequences more users will skip to other distros. One of the first things a new user does is install chrome and it is only on AUR unless you already know about flatpaks. A normal user that installs chrome from AUR is going to assume everything else is ok. At this point decide if you want new users switching from windows as an audience.
AUR is third party as are most repos so to say Cachy is adding updates to them is disingenuous at best. They are programs one chose to install on top of the OS they chose to install. The updates to these programs really have nothing to do with Cachy.
A user installing an Arch distro should know enough to consider using chromium from the extra repo, before heading over to AUR.
Arenât there warnings about AUR at every corner? Even paru warns you indirectly by asking you to review PKBUILDs.
Itâs not like anyone has any say in who installs what OS 
If a YT influencer tells his audience that a specific distro is great, thousands of people will install it. Nothing you can do about it.
Maybe you should use Bazzite? These concerns are assuming a lot about prospective users, and none of it is good for community. Installing software is always a user choice and assumes risk. Running any script is the same. Just because you can obliterate your system with rm -rf /* doesnât mean that it should not exist.
I switched directly from Windows and donât share your concerns.
I installed Chrome and Google Earth from another repository, but that repository is not available by default in CachyOS.
âFrontedâ? By whom?
Not by Cachy itself.
There are whole sections of youtubers claiming the earth is flat - shall we blame the earth?
Huh?
This is like changing distros because the flatpak repo had malware in it - on a distro where flatpak is not present or enabled by default.
So we are stating a bunch of people choose to use something without reading the instructions? I suppose that may be true but that is pretty much the definition of user error.
Every time the AUR is mentioned we give warnings here and link the wiki .. which is in turn full of warnings.
It is unsupported and third-party and entirely the users responsibility. Almost might as well be âthe internetâ as a whole or the same as finding random github projects. In fact many are random github projects. The AUR is just build scripts for those random things.
Posted by anyone to an open repo.
Thats what the AUR is and how it has been for years and years.
This is not the first or last of malware being there. Not by a long shot.
As has been repeated ad nauseum - security on the AUR is derived from transparency. Read. The. PKGBUILDs. If you cannot then you are just blindly downloading random stuff and hoping and praying. This is not new. And again entirely unsupported, third party, the users responsibility.
Iâm am way more than tired of seeing any of @donxer 's post. Mostly pure BS.
Well itâs not that you âhave toâ use it, and it shouldnât be enabled by default⌠but certainly the option should never be removed.
It should be available to opt in with a toggle (not enabled by default) to make it clear that itâs a USER option, not a distribution feature.
ROFLMAO
Shouldnât those two statements be mutually exclusive?
Many AUR packages are simply convenient wrappers around official, trusted upstream sources (like spotify, or chrome) or development snapshots from a projectâs own Git tags.
Avoiding the AUR entirely simply means:
This is unreasonable for someone who âknows what theyâre doingâ.
People who âknow what theyâre doingâ take a reasonable middle ground,
.install scripts.So AUR avoidance is an extreme caution, best suited to complete nOObs (which is why AUR should not be enabled by default).
You donât need to be able to blindly trust every coffee bean in the world in order to drink coffee, you just make sure that YOUR coffee beans are good and come from a trusted supplier.
Avoiding all coffee is simply fear, masquerading as prudence.
Right, and someone who knows what they are doing will always review before installing something. Here and elsewhere (AUR discussions, news articles and so on) Iâm seeing a lot of âwhat can be done to prevent thisâ and it comes down to people suggesting outsourcing automation and trust to external forces, which shifts but does not reduce the attack surface. The user is ultimately always responsible for checking, and if they think thatâs too much to ask, then they arenât in the âknows what theyâre doingâ camp and should avoid.
There was even a thread on the AUR forum suggesting deploying LLMs to speed up and automate verification for packages added to the AUR and to vet updates. To me, this is an unserious proposal that is fraught with risk and ignores the very real problem of placing blind trust in whatâs installed instead of inspecting it first. We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating is right there on the news page for Arch. This is the only way to really trust anything: Verify.
The Arch Wiki page for the AUR similarly calls out these warnings (as many in this thread have already said) with strongly worded statements, right at the top. Thereâs no âletâs just let an LLM rubber stamp itâ solution and no attempt at moderating accounts will replace the need to verify whatâs being installed; though as an additional administrative layer, enacting more control over how package ownership is transferred may lessen future scope of recoveries like this. Ultimately the user still pushes the accept button, every time.
why? firefox is installed as default. Lots of other browsers are available.