The AUR has tens of thousands of software build scripts (though in all fairness a lot of them are just downloading a binary from the Internet). This normally isn’t an issue if you treat Arch as DIY and do your due diligence but folk wisdom has people picking things like “CachyOS” for that peak gaming performance who stumble haphazardly onto the AUR since the Arch base repositories of vetted software doesn’t cover everything.
This was bound to happen at some point since it’s not 2002 anymore and the Internet is now an anarcho capitalist hell.
I haven’t had many issues with PyPi, but any package manager is just running someone else’s code on your computer. You really should be reading the code, checking the sources, and validating the binaries with any officially supplied checksums.
The scariest situation is when someone has a dev dependency, that package is squatted or compromised, and an unpinned supply chain attack is carried out like what happens with NPM ever other day.
You can even see the discussions in that thread about the risk of a squatted package vendoring the real package or just pulling it in as a dependency during install, and sitting in the middle stealing whatever passes through.
The AUR has tens of thousands of software build scripts (though in all fairness a lot of them are just downloading a binary from the Internet). This normally isn’t an issue if you treat Arch as DIY and do your due diligence but folk wisdom has people picking things like “CachyOS” for that peak gaming
performance who stumble haphazardly onto the AUR since the Arch base repositories of vetted software doesn’t cover everything.
This was bound to happen at some point since it’s not 2002 anymore and the Internet is now an anarcho capitalist hell.
PyPi kinda has this issue too. The typo squatting epidemic has been discussed a few times.
I haven’t had many issues with PyPi, but any package manager is just running someone else’s code on your computer. You really should be reading the code, checking the sources, and validating the binaries with any officially supplied checksums.
The scariest situation is when someone has a dev dependency, that package is squatted or compromised, and an unpinned supply chain attack is carried out like what happens with NPM ever other day.
You can even see the discussions in that thread about the risk of a squatted package vendoring the real package or just pulling it in as a dependency during install, and sitting in the middle stealing whatever passes through.