Anyone infected is at their own fault. Literally every single ressource and official statement is “read the diff of what you execute”, which would prevent 100% of the attacks.
I’d rather not get cut off from my regular updates for some idiots who can’t read or think rules don’t apply to them. And yes, people who don’t understand the PKGBUILD format shouldn’t use the AUR on their own.
But this is the problem. It’s like if Microsoft provided Windows with Limewire as a solution to download software. There’s bound to be people who are going to exploit it for malicious reasons, and there’s bound to be idiots who are going to fall for it. Heck, there’s the possibility that even someone who knows what they’re doing might also get caught at some point.
Arch doesn’t come with the AUR “installed”. The AUR is a repository of user scripts that exists on the internet. The user chooses to download the scripts, or install an AUR helper to download them automatically. There aren’t even AUR helpers in the official Arch repos, so you need to go out of your way to install them.
Let’s not take one out of Apple’s playbook and limit what a user can do for “their owm safety” and because most people “don’t know what’s best for them”.
You kind of have to have guardrails though. Especially with the recent migration from Windows 11 to Linux, a lot of gamers, mostly younger and/or inexperienced users, are being recommended Arch via CatchyOS. And a lot of the advice they get involve enabling the AUR and getting their required software from there. Some of the troubleshooting documentation also provides instructions using the AUR. It may not come with Arch, but it sounds to me like it’s pretty indispensable.
On the other hand, you have people saying that Arch isn’t for new users. That you have to be careful when using AUR and how dangerous it is. You have to know what you’re doing.
So then why is it recommended so much? I feel like every other comment when people are asking questions on which Linux flavour to use the answer is always “just use Arch/just use X variant of Arch”. And when I talk about using another distro like Debian, people on Linux communities get really critical and ask “this distro sucks, why don’t you just use Arch/Catchy/X variant?”
So which is it? Is it for everyone or not? Is it safe to use or not? Should anybody be using it or not?
The comments are really conflicting with each other here.
And honestly if we’re going to recommend Arch/Catchy/Whatever to new Linux adopters, there ought to be guardrails. Or don’t recommend Arch. And DON’T recommend using AUR. Try other workarounds instead of taking the easy AUR solution. You don’t simply give a loaded gun to someone who wants to do target practice without any precautions or anything to prevent them from hurting themselves or others. Maybe recommend an air-soft gun with some eye-protection goggles instead for target practice initially and let them learn the basics of firearm manipulation using that before moving on to the real deal.
Yes. I agree. It’s also much more stable so you don’t spend time troubleshooting. And there’s tons of support and even 3rd party packages available for peripherals and hardware.
The AUR is not indispensable for Arch, and it is not recommended. The Arch Wiki itself says so, and it even recommends against AUR helpers, because it makes the AUR feel like any other official repo. Some Arch based distros do include AUR helpers by default, and that’s on them.
Arch isn’t even that recommended, and it’s only mentioned above other distros in the gaming sphere because it usually has the freshest drivers and innovations due to being bleeding edge. It is also easy to install and easy to use, and for almost any issue you can consult the Arch Wiki or the Arch Forums.
Either way, we should never limit user freedom in the name of making it “safer” for any user, and we shouldn’t be installing guardrails that limit what you can do with your OS. That’s the difference between Windows/Mac and Linux. Linux allows freedom, while the others limit it. The “guardrails” are already there, in the Arch Wiki, as a pretty visible warning. If a user doesn’t read the recommendations from the official wiki, that’s on them.
As an aside, your gun analogy is not valid. A gun is a dangerous tool with which a user can hurt themselves, but also other people. Allowing freedom on a Linux distro is just a way of allowing the user to shoot themselves in the foot (like it has always been possible, one way or another, in every Linux distro). But it doesn’t allow the user to hurt others. Let’s not do these comparisons.
No, it’s actual reality. There are more than a hundred thousand packages in the AUR. There are explicit warnings that these are user content and should be used with care.
And now a miniscule percentage (~1%) of orphaned packages, so those with very little interest in, are taken over by some malicious actors to spread malware.
And people suddenly pretend like this is a catastrophe for Linux (no one cares) and for Arch and it’s derivates (who don’t operate the AUR be definition and explicitly warn against using it without caution). If I told you that not 1, but 10% of the most obscure software packages you can download and install on Windows are pure malware, you wouldn’t even blink an eye. And yet all the morons now come crawling from their caves flooding everything with memes and bullshit of “haha, now we know you lied to us and Linux isn’t secure at all!”.
I think we should be proud. Linux is finally large enough to at least sort of get “hit” by a malware campaign, and it demonstrates the ease with which thousands of infected packages can be cleaned, because they are centralized to a few repositories. M$‘s only bet would be to update Defenders’ index and cross fingers that the signature doesn’t change.
Windows malware is always way out of control of M$, while that’s also the norm of uninfected programs.
Almost all Linux programs are by design installed from a central repo.
That’s like saying “i just want to bungee jump off this bridge” when the bridge is 10m above active traffic.
This piece of infrastructure is not designed to work this way. It’s made for linux nerds. Not unknowing users. And I don’t see why the AUR should punish the former because the latter are ignorant. So either be able to understand and actively read the things you’re running or just don’t.
There are plenty of other distros users can choose from, if they don’t want to deal with that. But picking one that is designed for advanced “nerdy” users and then ignoring those explicit warnings is just pure negligence.
Well, I dont. I’m fully aware of the footguns Arch based distros contain. I generally recommend Mint for Linux beginners. If the person is tech savvy and needs something for their gaming rig, then I might mention Bazzite.
All these Arch fanboys just can’t accept ANY criticism of their favourite Linux flavour. “IT’S THE BEST OKAY? EVERYBODY SAYS SO! IT’S THE BEST BECAUSE IT’S HARD TO USE AND ALL THE SOFTWARE IS BLEEDING EDGE AND MY SYSTEM BREAKS HALF THE TIME I DO AN UPDATE BUT THAT’S NORMAL LINUX SHIT OKAY? AND I USE THE AUR BECAUSE I KNOW WHAT I’M DOING EVEN THOUGH MY SYSTEM IS INFECTED OKAY?”
Anyone infected is at their own fault. Literally every single ressource and official statement is “read the diff of what you execute”, which would prevent 100% of the attacks.
I’d rather not get cut off from my regular updates for some idiots who can’t read or think rules don’t apply to them. And yes, people who don’t understand the PKGBUILD format shouldn’t use the AUR on their own.
100%
But this is the problem. It’s like if Microsoft provided Windows with Limewire as a solution to download software. There’s bound to be people who are going to exploit it for malicious reasons, and there’s bound to be idiots who are going to fall for it. Heck, there’s the possibility that even someone who knows what they’re doing might also get caught at some point.
It’s dangerous and irresponsible.
Arch doesn’t come with the AUR “installed”. The AUR is a repository of user scripts that exists on the internet. The user chooses to download the scripts, or install an AUR helper to download them automatically. There aren’t even AUR helpers in the official Arch repos, so you need to go out of your way to install them.
Let’s not take one out of Apple’s playbook and limit what a user can do for “their owm safety” and because most people “don’t know what’s best for them”.
You kind of have to have guardrails though. Especially with the recent migration from Windows 11 to Linux, a lot of gamers, mostly younger and/or inexperienced users, are being recommended Arch via CatchyOS. And a lot of the advice they get involve enabling the AUR and getting their required software from there. Some of the troubleshooting documentation also provides instructions using the AUR. It may not come with Arch, but it sounds to me like it’s pretty indispensable.
On the other hand, you have people saying that Arch isn’t for new users. That you have to be careful when using AUR and how dangerous it is. You have to know what you’re doing.
So then why is it recommended so much? I feel like every other comment when people are asking questions on which Linux flavour to use the answer is always “just use Arch/just use X variant of Arch”. And when I talk about using another distro like Debian, people on Linux communities get really critical and ask “this distro sucks, why don’t you just use Arch/Catchy/X variant?”
So which is it? Is it for everyone or not? Is it safe to use or not? Should anybody be using it or not?
The comments are really conflicting with each other here.
And honestly if we’re going to recommend Arch/Catchy/Whatever to new Linux adopters, there ought to be guardrails. Or don’t recommend Arch. And DON’T recommend using AUR. Try other workarounds instead of taking the easy AUR solution. You don’t simply give a loaded gun to someone who wants to do target practice without any precautions or anything to prevent them from hurting themselves or others. Maybe recommend an air-soft gun with some eye-protection goggles instead for target practice initially and let them learn the basics of firearm manipulation using that before moving on to the real deal.
@ZombieCyborgFromOuterSpace @black0ut Debian is beginner friendly and it has distros even more beginner friendly, so IMO people should start with that.
Yes. I agree. It’s also much more stable so you don’t spend time troubleshooting. And there’s tons of support and even 3rd party packages available for peripherals and hardware.
That’s what I personally recommend.
The AUR is not indispensable for Arch, and it is not recommended. The Arch Wiki itself says so, and it even recommends against AUR helpers, because it makes the AUR feel like any other official repo. Some Arch based distros do include AUR helpers by default, and that’s on them.
Arch isn’t even that recommended, and it’s only mentioned above other distros in the gaming sphere because it usually has the freshest drivers and innovations due to being bleeding edge. It is also easy to install and easy to use, and for almost any issue you can consult the Arch Wiki or the Arch Forums.
Either way, we should never limit user freedom in the name of making it “safer” for any user, and we shouldn’t be installing guardrails that limit what you can do with your OS. That’s the difference between Windows/Mac and Linux. Linux allows freedom, while the others limit it. The “guardrails” are already there, in the Arch Wiki, as a pretty visible warning. If a user doesn’t read the recommendations from the official wiki, that’s on them.
As an aside, your gun analogy is not valid. A gun is a dangerous tool with which a user can hurt themselves, but also other people. Allowing freedom on a Linux distro is just a way of allowing the user to shoot themselves in the foot (like it has always been possible, one way or another, in every Linux distro). But it doesn’t allow the user to hurt others. Let’s not do these comparisons.
Peak Linux nerd shit.
People just want their updates to work and you’re out here screeching that users are holding it wrong and to read a bunch of diffs 🤣
No, it’s actual reality. There are more than a hundred thousand packages in the AUR. There are explicit warnings that these are user content and should be used with care.
And now a miniscule percentage (~1%) of orphaned packages, so those with very little interest in, are taken over by some malicious actors to spread malware.
And people suddenly pretend like this is a catastrophe for Linux (no one cares) and for Arch and it’s derivates (who don’t operate the AUR be definition and explicitly warn against using it without caution). If I told you that not 1, but 10% of the most obscure software packages you can download and install on Windows are pure malware, you wouldn’t even blink an eye. And yet all the morons now come crawling from their caves flooding everything with memes and bullshit of “haha, now we know you lied to us and Linux isn’t secure at all!”.
I think we should be proud. Linux is finally large enough to at least sort of get “hit” by a malware campaign, and it demonstrates the ease with which thousands of infected packages can be cleaned, because they are centralized to a few repositories. M$‘s only bet would be to update Defenders’ index and cross fingers that the signature doesn’t change.
Windows malware is always way out of control of M$, while that’s also the norm of uninfected programs.
Almost all Linux programs are by design installed from a central repo.
That’s like saying “i just want to bungee jump off this bridge” when the bridge is 10m above active traffic.
This piece of infrastructure is not designed to work this way. It’s made for linux nerds. Not unknowing users. And I don’t see why the AUR should punish the former because the latter are ignorant. So either be able to understand and actively read the things you’re running or just don’t.
That is some gatekeeping bullshit right there.
How is that gatekeeping?
There are plenty of other distros users can choose from, if they don’t want to deal with that. But picking one that is designed for advanced “nerdy” users and then ignoring those explicit warnings is just pure negligence.
Well then stop recommending Arch or CatchyOS to every new user that comes in here looking for a gaming Linux distro ffs.
Well, I dont. I’m fully aware of the footguns Arch based distros contain. I generally recommend Mint for Linux beginners. If the person is tech savvy and needs something for their gaming rig, then I might mention Bazzite.
LOL!
All these Arch fanboys just can’t accept ANY criticism of their favourite Linux flavour. “IT’S THE BEST OKAY? EVERYBODY SAYS SO! IT’S THE BEST BECAUSE IT’S HARD TO USE AND ALL THE SOFTWARE IS BLEEDING EDGE AND MY SYSTEM BREAKS HALF THE TIME I DO AN UPDATE BUT THAT’S NORMAL LINUX SHIT OKAY? AND I USE THE AUR BECAUSE I KNOW WHAT I’M DOING EVEN THOUGH MY SYSTEM IS INFECTED OKAY?”
No no, they’re right. This is arch linux, people demonstrably do not ‘just’ want their updates to work
Next thing you’re gonna tell me you eat random shit found on the road and it’s nerd bullshit to check if it’s safe or not.