I’ve seen AUR warned against often, also by Arch team members.
I never thought it was a huge deal, but apparently anything that can be attacked will be attacked nowadays.
I start to wonder if we need something sitting between extra and aur, few more trusted maintainers and well secured update process that’s more than the aur Wild West
Also, some sort of yay hook to do some scanning for suspicious diffs and warning or skipping those packages…
I don’t want / need a system where I can blindly update everything, but something to help me avoid having to visually check every package diff would be nice
Their first option is possible for sure. Just something like the AUR, but that you need a proven record (either on the AUR or on something else) to post. That shouldn’t be too hard.
I feel like this could be a use for LLMs that isn’t slop. It’s not going to catch everything of course but I imagine it would be a whole lot better than nothing
I’ve seen AUR warned against often, also by Arch team members.
I never thought it was a huge deal, but apparently anything that can be attacked will be attacked nowadays.
I start to wonder if we need something sitting between extra and aur, few more trusted maintainers and well secured update process that’s more than the aur Wild West
Also, some sort of yay hook to do some scanning for suspicious diffs and warning or skipping those packages…
I don’t want / need a system where I can blindly update everything, but something to help me avoid having to visually check every package diff would be nice
Yes that would be nice, but I’m not sure that is possible.
Their first option is possible for sure. Just something like the AUR, but that you need a proven record (either on the AUR or on something else) to post. That shouldn’t be too hard.
I feel like this could be a use for LLMs that isn’t slop. It’s not going to catch everything of course but I imagine it would be a whole lot better than nothing
This is what happens when a shit load of packages that just sit around basically unmaintained are allowed to sit around.
Maybe injecting the infections made it look like they were maintained? 😋
https://aur.archlinux.org/ warns you about it
Yeah if your machine can be added to a botnet then it will be. Resistance is futile, we are Borg style.