Thread 105630200

Have you ever got any malware from AUR? I've been running on Arch for almost ten years now and it's fascinating how rarely I hear about this

>>105630200 (OP)
never have personally. I don't have hundreds of packages installed from the AUR though. mostly a couple game launchers (ffxiv/second life), my browser (icecat), my bootloader (systemd-boot for Artix, but I'm the maintainer for that anyway), and a couple useful things like kernel-install-for-dracut

>>105630238
>The most security-critical software on his computer
>Trusted to the AUR
>PKGBUILD flagged out-of-date over two weeks ago
Arch users do some crazy shit.

>>105630274
>PKGBUILD flagged out-of-date over two weeks ago
it doesn't build currently. maintainer is working on it. doesn't matter though, icecat-bin (which I'm using) is up to date

>>105630274
>>105630286
also
>Arch users do some crazy shit
re-read my first post. I'm not on Arch

>>105630286
>icecat-bin
Oh. Fair enough. Because I looked closer and that icecat (non-bin) hasn't been updated since November.
>>105630290
>not on Arch
Doesn't Artix directly reference Arch repos in its pacman configuration?

>>105630200 (OP)
It really seems like it should happen more often.

I felt more uncomfortable installing AIder from pip than I've ever felt using AUR and that seems way more wild.

>>105630286
>icecat-bin in aur
>based on firefox esr 115.24.0
>Firefox ESR 115 is now supported only on Windows 7-8.1 and macOS 10.12-10.14. Users on other operating systems should use Firefox ESR 128 instead.
https://www.mozilla.org/en-US/firefox/115.24.0/releasenotes/

Still kinda crazy, hombre.

>>105630322
>Doesn't Artix directly reference Arch repos in its pacman configuration?
not out the box, it uses its own repos (which is kinda necessary for some packages as it's a systemd-free distro, so some packages need to be recompiled without systemd, and it also needs to host service packages for its supported inits). it does have an option to add Arch repos yes, which I'm personally using for a couple packages like quod-libet, my music player
>and that icecat (non-bin) hasn't been updated since November
yeah like I said it's because it's broken and won't compile, because of python 3.13. maintainer is working on it, so it'll get updated at some point, but at the moment you can't even install it at all

>>105630363
>repos
fair enough
>icecat
fair enough but what about icecat-bin referencing an unsupported upstream branch? fwiw, i think you can build against the latest esr using icecat scripts from gnu
>On any POSIX system, IceCat source tarballs can be generated from the corresponding Firefox ESR sources using the scripts available in the Git repository of GNUzilla
https://www.gnu.org/software/gnuzilla/

>>105630200 (OP)
I am on Arch for almost 7 years and never needed the AUR, so no.

>>105630382
>but what about icecat-bin referencing an unsupported upstream branch?
it's the latest version from their repos, I don't think they've worked on newer versions. afaik it does get security patches at least
>i think you can build against the latest esr using icecat scripts from gnu
I haven't tried, maybe I should. the post you quoted just says it can generate a tarball for the corresponding ESR version, which at the moment is 115. I'd need a system that still uses python 3.12 to compile it though