Ask HN: Is anyone else leaving AUR?
8 points
2 days ago
| 3 comments
| HN
I'm spending a lot of my time removing AUR packages for alternatives in the official Archlinux repositories.

I've shifted from Dropbox to RClone, from acpilight to brightnessctl, from spotify to spotify-launcher and so on.

Has anyone else having the same trust problem? Also, how do you stay updated with the situation?

I work in a corporate environment and malware is a no-go.

d3Xt3r
1 day ago
[-]
Yeah, I've been trying to get away from the AUR too. Besides switching to alternatives from the main repo like you, I've also been using AppImage, Flatpak, brew and cargo. I think the only main AUR package remaining for me (not counting dependencies) is chawan-git.

As for keeping updated on the situation, I've been following the news in the Arch Linux discord and the Github page which had the AUR malware scanning script.

reply
lordkrandel
1 day ago
[-]
Thank you very much! I've found alternatives or removed about 30 packages. The only AppImage I have is Librewolf, no Flatpaks.
reply
cui
2 days ago
[-]
What's wrong with Dropbox?
reply
lordkrandel
2 days ago
[-]
It's installed from AUR, which has been compromised.

https://www.phoronix.com/news/Arch-Linux-AUR-400-Compromised

https://wiki.archlinux.org/title/Dropbox

reply
casey2
1 day ago
[-]
Might be fun to do if you are unemployed, but since you've mentioned a job it's better to just read the install script for the high level overview then install it manually.

The general idea is to find a small set of programs, in a more supported set that serves your usecase. So you learn more about a smaller number of programs. Downside is that you are now able to rewrite your entire system in a single language.

reply
lordkrandel
1 day ago
[-]
I've succesfully uninstalled yay and removed all the packages, and am still employed. Most were zombies and stuff that could be replaced. Rest is from Arch main repos.
reply