Welcome to c/linux!
Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!
Rules:
Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.
Be respectful: Treat fellow community members with respect and courtesy.
Quality over quantity: Share informative and thought-provoking content.
No spam or self-promotion: Avoid excessive self-promotion or spamming.
No NSFW adult content
Follow general lemmy guidelines.
For people that just want to install packages that are not included in the Arch distro, and don't have the knowledge or time to review PKGBUILD files:
Have a look into the Guix package manager. It works fine on top of Arch, and Guix has 31,000 packages now. Great for cross-language development and also suitable for early sharing of projects. npm support is a bit weak though, but packages written in Python, Rust, or functional languages are well represented.
I use malware, BTW.
I bet it's NPM
(Checks list)
Yep, it's NPM
So 0.28% of the 140'000 packages?
Seems like not that much.
How many malicious packages are on Googles Play Store?
I agree that that isn’t a lot of packages but it matters more which packages were compromised. Some random package like ten people have installed? Who cares. yay or spotify? We might have some problems.
Edit: after looking at the list some look fairly concerning. I’d definitely be doing a diff on my packages and the list of the compromised packages if i used Arch, btw.
unfortunately for some, it’s 100% of the 400 packages they use
Oofta, like this is so vexing...Shows that Linux is getting a bit too much attention these days. I don't use the AUR specifically, just Chaotic-AUR and Extra, still ran that Fish script on Garuda Linux in case something snuck into my PC. The PC is clean as a whistle, thankfully. Malicious actors can get fucked for all the grief they cause and ruining of the good times of Linux enjoyers!
If this was 10 years ago I'd change my profile picture on Facebook to mark myself safe from the AUR malware.
For those who only have a few AUR packages installed, if you looked at the list and are still concerned, you can view the changelog at https://aur.archlinux.org/cgit/aur.git/log/?h=yourpackagenamehere. If it was secretly malicious but got missed, you'd see it there.
Every time I've had an arch distro (not often as I prefer to avoid them) and go to install from the AUR, I get to the point of checking the PKGBUILD and think "oh yeah, forgot about this" and just abort.