Zerush@lemmy.ml to Open Source@lemmy.ml · 8 months agoOver 100,000 Infected Repos Found on GitHubapiiro.comexternal-linkmessage-square23fedilinkarrow-up10arrow-down10
arrow-up10arrow-down1external-linkOver 100,000 Infected Repos Found on GitHubapiiro.comZerush@lemmy.ml to Open Source@lemmy.ml · 8 months agomessage-square23fedilink
minus-squarercbrk@lemmy.mllinkfedilinkarrow-up0·8 months agoAUR has just as much ability to fuck you over as piping curl to sh as an installation method. Check your PKGBUILDs every single time and make sure you (still!) trust whatever repos it’s pulling the source/binaries from.
minus-squareDeckweiss@lemmy.worldlinkfedilinkarrow-up0·edit-28 months agoI completely agree with you on the ability part. There already have been cases where there was malware in the AUR. But the wiki specifically states to read the PKGBUILD and check the source url content before installing. I don’t think the system is at fault here. I mean, getting viruses/malware has always been mostly due to lazyness, user error and lack of knowledge.
minus-squareokamiueru@lemmy.worldlinkfedilinkarrow-up0·8 months agoIf you’re actually vetting PKGBUILD, I don’t think there is a single one I’ve installed that doesn’t download some blob. There is no way of knowing if it’s OK, unless you also sift through that. I don’t think anyone does. I certainly don’t.
AUR has just as much ability to fuck you over as piping curl to sh as an installation method.
Check your PKGBUILDs every single time and make sure you (still!) trust whatever repos it’s pulling the source/binaries from.
I completely agree with you on the ability part. There already have been cases where there was malware in the AUR.
But the wiki specifically states to read the PKGBUILD and check the source url content before installing.
I don’t think the system is at fault here. I mean, getting viruses/malware has always been mostly due to lazyness, user error and lack of knowledge.
If you’re actually vetting PKGBUILD, I don’t think there is a single one I’ve installed that doesn’t download some blob. There is no way of knowing if it’s OK, unless you also sift through that. I don’t think anyone does. I certainly don’t.