firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin AUR packages contain malware

https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/7EZTJXLIAQLARQNTMEW2HBWZYE626IFJ/

>>105949484 (OP)
chro(ium) chads win again

Intentionally misleading thread title.
There was no malware in the official arch repos, and no existing Firefox packages were updated to contain malware.
Three new AUR packages with malware were created on the 16th and found on the 18th.

>>105949484 (OP)
interesting
i use librewolf-bin and waterfox-bin, not those packages
anyway, i haven't updated my system in like 2 weeks

>>105949484 (OP)
the official firefox package is here
https://archlinux.org/packages/extra/x86_64/firefox

>>105949484 (OP)
So literally nothing because nobody used these and there are better ones on the AUR.. Which isn't even part of Arch Linux repo.
>>105949526
This

>>105949539
Why not use librewolf fix bin? I heard it as a good rep.

>skiddie posts mystery meat pkgbuilds that only an idiot would install
>still gets caught within days
archKINGS winning as usual

>>105949566
i don't even know what that is
i heard about it like a few minutes ago from this thread
i don't even find it on the AUR to query its informations with yay, nor i cannot find it by googling it

what was this package used for?
it modified the browser in some good way, it "fixes" somehow?

>>105949627
It's malware, bud it has a good rep. You log into your bank with it and boom all your shit's gone.

>>105949484 (OP)
What's new? Archtroons love broken software.

>>105949644
in today's day and age, you can't even log into your bank account using a computer

>>105949484 (OP)
>firefox-patch-bin-legit-clickhere-sir
why would anyone install that

>>105949686
this. i made an account at HSBC, a massive global high street bank, and you CANNOT log in to online banking without a phone app. if you dont have a smartphone or root it, you can't access your money

why was depending on a centralized repository for all your software ever considered a good idea? can any lincuck explain the rationale behind this?

>>105950689
i use 2 phones
>1 with grapheneOS (which is just a messaging device, mp3 player and very rarely a GPS on a secondary profile for proprietary software)
>1 phone (vendor android, unmodified in any way) with the proprietary investing + banking shit i use, that i always keep at home in a drawer

i think my proprietary spyware banking + investing apps might work perfectly on grapheneOS, but i don't want anything money related to be in my pocket when i go out

>>105950885
just keep a normie phone for all that stuff

>>105950691
Trusting AUR has always been a bad idea.
You are supposed to use it as a starting point for writing your own PKGBUILD, auditing the package source files and sources line by line.
This is one reason why many of us don't bother with Arch and instead choose to use Debian or Fedora+rpmfusion.

icecat-bin chads, we won

>>105950885
At that point might as well keep a $60 5G dumb phone and a normie phone around instead of dealing with some literally who and his schizo OS

>>105952190
Graphene just werks for me

ATTENTION

MORE MALWARE PACKAGES FOUND IN ARCH REPOS

If you have any of the following packages installed from the AUR then you are fucked. You better kill yourself!
minecraft-cracked
ttf-ms-fonts-all
vesktop-bin-patched
ttf-all-ms-fonts

>>105952545
>minecraft-cracked
kek
do archniggers really?

>>105949484 (OP)
>>105952545
Thank god I chose Fedora over this Arch nonsense. Fedora cares about security and would never let shit like this happen. And this is why I use Flathub. I don't care if Flatpaks are a bit bloated. Flathub has an extremely hard-working team of reviewers who carefully check and review each and every package before publishing it on Flathub.

I don't want to see another Arch shill on my /g/ board ever again. You got that faggots? If I see you malware spreading Arch fags in here again, I will inform the cyberpolice.

>>105952545
FUCK
I WAS USING TTF-MS-FONTS-ALL
SAVE ME /g/
YOU SHILLED ARCH TO ME

>>105952580
ahahahahah
this is what happens when you use a hobbyist distro like arch instead of corpo certified distro like fedora

>>105952580
Too late. The trojan I deployed has already infected your PC. Just according to keikaku (keikaku means plan).

>>105949484 (OP)
kek
so arch kiddies got in trouble again?
lol
t. fedora silverblue + gnome + sanboxed flatpak ultragigachad

>>105949484 (OP)
Not my problem. I use Fedora Kinonite.

>>105949484 (OP)
ARCH LINUX? AGAINST MY POWER OF SUPER UNIVERSAL BLUE SAIYAN?

>>105949526
Hundreds of more packages are being found right now in the Arch repos you nigger. What now, huh? Everyone running Arch Linux is compromised and Arch devs are trying to keep the whole thing hush-hush. You faggots are fucking scummy, it's unreal. Which Arch dev are you? Be honest for once in your pathetic NEET life. How can you evil fuckers not feel any shame at all? You are openly distributing malware and viruses and pretending that nothing is wrong at all!

>>105949558
Stop talking to yourself. You Arch fags are insufferable.

>>105949484 (OP)
Anyone with a brain could see this coming. Any jeet can just add something to the AUR and thats the problem.

>>105949484 (OP)
I use Google Chrome (tweaked some) and I am free from such problems. Thank God I live in a free country, where people aren't obsessed over the fact that Google has many useful functions - helped me find my phones I lost with pinpoint accuracy.

>Arch Linux
>AUR

>arch linux
>the toy distro is full of malware
who would have seen this coming
lmao

>>105952753
Nice blogpost, faggot.
>>105952775
>posts another faggots blogpost
BUY AN AD NIGGERS!

>>105952767
>4chan

>>105949484 (OP)
>tranny fell for the Arch meme

>>105952783
>electricity

>>105952190
yeah, you should try using signal, browsers, uber and google maps on a dumb phone

>>105952646
>t. fedora silverblue + gnome + sanboxed flatpak ultragigachad

if only you learned to package things yourself...

>>105949484 (OP)
why the fuck wouldn't you use the regular firefox package?
why the fuck wouldn't you use the flatpak for librewolf or zen?
fuck this distro

>>105952646
>t. fedora silverblue + gnome + sanboxed flatpak ultragigachad

>>105952890
>why the fuck wouldn't you use the regular firefox package?
true
>why the fuck wouldn't you use the flatpak for librewolf or zen?
also true
>fuck this distro
??? the aur is not the official arch repo

>>105949484 (OP)
>unofficial packages
lol

>>105952775
Since many guys here love toys, Arch is perfect for them as they love toying with the OS itself, they don't use it for anything except trantinkering and running whatever games that work.

>>105952911
honestly I meant mostly fuck this community but I'm quite sleep deprived

>>105952897
>aur
>just trust us nameless devs, goy
vs
>flatpak
>just trust us nameless devs, goy
wew lad, not very bright.

>>105952958

>>105952968
>jewgle chrome (second most popular flatpak on the 'hub)
>steam
>spotify
>vscode
>edge
>wine
all of them are unverified, GEG

>>105949484 (OP)
that sucks, looks like my firefox-patch-bin repo is ok

>>105952993

>>105949484 (OP)
>having to trust random people to install software
windows does not have this problem

>>105952993
>blender
>signal
>proton
>opera
>minecraft
>audacity
>github desktop
just to name a few more
flatpak is a meme
also don't forget the "sandboxing" and "access controls", you can't disable access to /sys/class/, so infoleaks with shit like torbrowser-launcher are inevitable

>>105952993
>jewgle chrome
dont use it dont care
>steam
has no official package besides the bubuntu deb
>spotify
im not a subscription slave ya nigger
dont use it dont care
>vscode
kek, ya fuckin noob
>wine
i use bottles ya lil bitch
>>105953037
way better than yer malware infested aur lmao

>>105953037
Maybe I'm confused. Can arch users only use the AUR? I pull the majority of my stuff from Debian stores even though that's not technically what I'm using.

>>105953051
buy an ad redhat shill, still not using your centralised flatpak meme

>>105952958
>>105952993
>>105953033
>>105953037
Jordan Petridis has already written an epic blogpost which BTFOs you Flathub deniers.
>https://blogs.gnome.org/alatiera/2025/02/19/the-fedora-project-leader-is-willfully-ignorant-about-flathub/
Seethe more. Flathub won. Every Archlet is gonna see this news of AUR being full of malware and switch to Flathub. I guarantee it. I'm already spreading the word of Reddit, Lemmy, Discord and Mastodon. Give up. You lost. I will KILL the AUR.

>>105953051
bottles pulls the unverified Wine flatpak GEG
https://github.com/flathub/com.usebottles.bottles/blob/master/com.usebottles.bottles.yml
>>105953071
>Jordan Petridis
who?
>blogs.gnome.org
oh it's bait, I fell for it fugg

>>105953057
vrrrrooooom
vrroom vrooom
*rap music*
pakpak
flatpak
uh!
pakpak
flatpak
yep!
pakpak
flatpak
yo!
pakpak
flatpak
pak!

should've been brave

>>105953083
thanks parappanon

I use Braphub exclusively

>>105953033
AUR has a smaller chain of trust than regular packages where you have to trust the package maintainers (although there is the whole reproducible build thing). You only have to trust the developer (same as Windows). But you have to check if the shit you're installing from AUR is actually *from* the developer by reading the pkgbuild and see if it links to some pozzed github repo executing random shit, which is what I think was the case here. I don't know what the pkgbuild looked like for this pozzed AUR package but I would assume it had glaring red flags. Of course this is problematic because some people install shit off there without checking anything.

The AUR really should have some minimal semblance of standards though, at the very least a virus scan. For fuck's sake, I remember on MPGH for hacked games even they would at least post virus scans for their releases.

All that said I never installed anything from the AUR on my current install.

>>105952569
Fedora isn't going to save you from downloading random files from random users and running them as root.

>>105953178
Yeah, no. We Fedora gigachads don't need to do that. Everything we need is in Fedora repos + Flathub. We also use containers and sandboxes for all the spooky shit. Plus we literally have NSA-tier security out-of-the-box known as SELinux. Don't lump us Universal Blue GODS with you Arch Loonix script kiddies. It's insulting when you literal Pewdiepie-tier users get compared to us. Shoo. Shoo. Go away.

>>105953218
You do know that flatpaks work on arch too? lmao

>>105952569
>Flathub has an extremely hard-working team of reviewers who carefully check and review each and every package before publishing it on Flathub.
Outrageous lie.
I'm pretty much ok with the rest
>t. fedora chad

>>105953218
>>105952569
I could easily upload malware to Flathub

I would get approved as maintainer for a software by writing a legit recipe

The problem is I then get authority to update that recipe and no one checks it

>>105953280
what a world we live in, I'm glad you're not doing it to mine.
Shit feels like it's about to hit the fan

How do you even check if you got owned on troonix? I've never seen an answer to this.

>>105953345
Wireshark check for any network connections (or check your router if possible)

Check DNS requests (if using systemd-resolved use resolvectl monitor)

htop check for processes

Check your .bashrc and .bash_profile

>>105952715
Linux use has shot up to 5% from 1. Malware will obviously increase.

>Firefox right there in the official repo
>hmm no I'm gonna grab this weird "patch" Firefox from the aur
Why?

>>105953406
so this package maintainer -- user balance no longer works

>>105953218
You don't get to use a 3rd party fork and still claim to be a Fedora chad or secure.

>>105953280
You will do nothing you nocoder bitch. Stop getting uppity just because you favorite hobby distro got BTFO'd again by some random AI-jeet. Stop taking out your anger on superior technology like Flatpaks. You fuckers are insane, truly. No only will you NOT fix your malicious malware infested shit, you will also actively spread FUD against Flathub which is actually does care about security.
>>105953266
You cannot randomly upload whatever on Flathub without getting past a team of Flathub reviewers who are all security experts and highly qualified gigachads. AUR lets literally anyone upload anything they want. Stop larping as a Fedora chad.

>>105953440
I use SECUREBLUE you faggot. You don't even know what you are talking about. Why don't you sit down and shut the fuck up before you get made fun of? We are just on different levels. You are a script kiddie Arch nooblet. I'm a security expert sysadmin. You are a zoo monkey. I'm Einstein.

>>105953280
okay rakesh
we all know you installed arch last week after you saw the pewdiepie video
you can calm down now

>>105953345
run fastfetch
if the arch logo shows up then you did something wrong
kek

>>105953218
imagine thinking you have real sandboxes with flathub

>>105953315
supply chain attacks are a bitch

>>105953433
people confuse complex with secure

>>105953457
>muh flatpak
no one cares about flatpaks. Not even the people who made it
https://www.osnews.com/story/142467/flatpak-not-being-actively-developed-anymore/

>Have a process called tracker-miner-fs
It's over for me

>>105953542
Yeah what an awful name along with rtkit-daemon

>>105953523
over 3 billion downloads ya little bitch
flathub won the war
you lost and you're having melty in my thread
lmfao
typical arch users
lashing out at the more successful and superior package distribution technology when their own shit got exposed for being riddled with malware
hahahahahahahahahahahahahahaha

>>105953583
>3 billion downloads for broken concept software
Grim
https://hanako.codeberg.page

>>105953620
>random ooga booga blogpost from a literal who
wow you sure showed me
fucking lmao
cry more archlet
flathub won and jordan petridis mindraped ya

>>105952715
>Hundreds of more packages are being found right now in the Arch repos
In the NON-aur repos, or in the AUR "repos?" Because the AUR is a wild-west and user error if you're willingly using that for anything that isn't mission-critical (Zoom, etc.) and even THEN you're better off doing it yourself than using their scripts. Similar to Lutris.

>>105953620
>>105953676
https://lwn.net/Articles/1020571/ If y’all are interested in flatpak’s future, I found the discussion by bluca very informative. (albeit a little over my head)

>>105953676
>fattypak shill thinks arch got compromised by random unofficial aur software
>also can't read
I'm not surprised really

>>105953583
>>105953620
>>105953676
Every normal person uses Windows and iOS and has never even heard of the shit you're arguing about, and trying to force it on people is one of many reasons freetards will never produce a viable consumer operating system

>>105954131
>t the Linux Application Summit (LAS) in April, Sebastian Wick said that, by many metrics, Flatpak is doing great.
Cool. You told me what I already know. Over 3 billy downloads. We doin' great!
>>105954133
>archnigger is pretending he doesn't use aur on arch
Kek! Called it. Like clockwork. Fucking lmao!!!

>>105954131
Interesting. Not really relevant to those two anon's squabbling but thanks for bringing this up:
>""Maybe I'm complaining about something that is actually not that much of an issue"", he said. Flatpak works; it does its job, and ""we just use it and don't think about it much"". In that sense, the project is in a good spot. But he has still been thinking about how the project is ""living with constraints"" because contributors do not have the opportunity to go in and make bigger changes.
Curious how they resolve that, given Valve (and the Steam Deck/Steam Arch) are pushing flatpaks for Joe Sixpack users. It may be "good enough" for now, but if something breaks (and it WILL) and they have no maintainers that are up and running, flatpaks are then fucked.

Seems like Valve has to throw cash around for a fucking fully operational OS, which... given developers gotta eat, makes sense and all, but Jesus Christ. The ENTIRE operating system? At this point Valve would just be hiring "Arch employees" and becoming MS (which Gabe escaped) again.

>>105954172
Stop pretending you know what you are talking about. Flatpaks are doing just fine. And Flathub is booming. Its your precious little gAyUR that is in the mud right now. You Arch users are so disingenuous, it's insane.

>>105954186
>Schizo schizoing out
YES, YES. KEEP POSTING HARDER, BABY!

>NONONONONONO
>STOP LOOKING AT THE MALWARE IN MY AUR
>LOOK HERE INSTEAD!
>FLATPAK BAD
>FLATPAK BAD FLATPAK BADFLATPAKBADFLATPAKBAD AAAAAAHHHHHHHHH

>>105954202
Lmao

>>105954202
That clip is insane, wtf
I can't stop laughing

>>105949484 (OP)
>firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin
Nobody uses those

>>105949539
saar use the librewolf fix bin it fix problems saar

>>105954202
this
you can tell how insecure arch users are because they keep bringing up flatpak for no reason
it was the aur where the malware was found
so what do arch users do?
they start seething at flatpak
bunch of fucking retards lol

>>105949484 (OP)
I knew AUR was a mistake from day one, but Archtards are too stupid to realize that.

>>105949686
I logged in to my bank yesterday using computer. Imagine living in the land of the non-free.
>>105952545
More AUR packages that no one uses.

>flatpak shilling
It isn't bad, but it sandboxes. This adds a layer of abstraction and restriction which increases the odds of software not working, cause it doesnt give a program the shit it needs. This is why wayland is still not the only display server - it bars the way too much.
>aur hosts malware
Read your pkgbuilds. Or even better, install gentoo, unironically, because AUR as a COMMUNITY driven recipe repo is inherently insecure af and has been that way since day 1.

>>105954271
AUR is literally accessible directly from Arch's main website with one click. I don't care how many disclaimers they add. It's a trash system for a trash OS. And no I shouldn't have to read pkgbuilds. I'm not a no-life loser.

>>105954271
>it diduna werk!!
Oh shut the fuck up already. Stop spouting your nonsense. This isn't reddit. You sound like one of those Xlibre retards who keep complaining that Wayland doesn't work for them. Nope. It works. You see, the real problem is...you are just too fucking retarded to get it to work for yourself. I don't know how else to tell you this, dude. You are just too goddamn stupid. It's a (You) problem. Now get the fuck out of here you newbitch. This is my /g/. Reddit's over that way.

>>105953482
Back to Artix you go, chuddie.
https://secureblue.dev/code-of-conduct

>>105954247
No one brought up flatpak until the resident flatpak shill started screeching about it. Stop being disingenuous! :)

>105949484 >105952646 >105952675 >105952715 >105952722 >105952748 >105952767 >105952775 >105952794 >105952897 >105952922 >105953071
THESE ARE FEDORA REDHAT GLOWNIGGERS PROMOTING THEIR CORPO SPYWARE LINUX DISTRO DO NOT LISTEN TO THEM THEY ARE TRYING TO GET YOU TO USE THEIR SPYWARE NSA DISTRO
KILL YOURSELVES GLOWNIGGER KIKES
YOU WILL NEVER BECOME THE CENTRALIZED LINUX DISTRO NIGGER KIKE NIGGER KILL YOURSELF KIKE JEW GLOW NIGGER NIGGER NIGGER NIGGER

>>105954302
Stop seething over Flatpak already. Fix your shitty AUR instead of worrying about Flatpak.

>>105954313
KILL YOURSELF REDHAT GLOWNIGGER SPYWARE PROMOTER. YOUR DISTRO WILL NEVER BE THE CENTRAL OS OF THE LINUX WORLD
ALL OF YOU REDHAT GLOWNIGGER KIKE SCUM WILL BURN IN HELL FOR ALL ETERNITY FOR YOUR SINS

>>105954313
Stop bringing up flatpak for no reason and we won't have to talk about it sweatyheart.
This thread wasn't about flatpak until your shilling started here:
>>105952569

>>105954319
>distrusts FOSS
>believes religion
lel

>>105953055
No. Pacman is to apt...
Aur is like random .deb packages on websites, only difference is they made an actual community repo for them

>mission "mindbreak the archfag" complete

>>105954325
That isn't my post. Stop seething and take your meds. That user was just saying that he prefers Fedora and Flatpaks over Arch and AUR. Then you had a mental breakdown and went on a rampage.

THE REDHAT GLOWNIGGER KIKES ARE DOING EVERYTHING THEY CAN TO DESTROY DISTROS THEY HAVE NO CONTROL OVER SO THAT YOU USE THEIR SPYWARE. THEY DESERVE NOTHING MORE THAN A SHOTGUN BLAST TO THE FACE.

YOU FUCKING REDHAT GLOWNIGGER KIKES WILL GET WHAT'S COMING TO YOU. JUDGEMENT DAY IS COMING. YOU BETTER REPENT AND CHANGE YOUR WAYS NOW OR ELSE

>>105954343
The only ones going on a rampage are the redhat employees ITT. They are paid to sow chaos and distrust among communities.

I WILL NEVER USE YOUR SPYWARE
I WILL NEVER USE YOUR GLOWWARE
KILL YOURSELF REDJEW KIKE NIGGER

>>105954325
>Stop bringing up flatpak
see >>105954202

HANG YOURSELF NOW REDJEW FEDORAKIKE NIGGER

my first gif guys.

also not affected as arch user.

REDJEW FEDORAKIKE NIGGER = SCUM

>>105949484 (OP)
Yikes. Good thing I don't use Arch Loonix.

>>105949484 (OP)
>not compiling all packages locally
NOT MY PROBLEM

>>105949484 (OP)
At first I thought this wasn't such a big deal but then I saw the posts ITT. All the damage control from Archfags convinced me that Arch is a joke toy distro.

>>105951619
>You are supposed to use it as a starting point for writing your own PKGBUILD, auditing the package source files and sources line by line.
i know you don't like Arch, but i feel like this point is a massive cope regardless. AUR is utterly insecure and it's never brought up in normal conversation. no one ever says someone should be maintaining their own PKGBUILDs. in fact its easily accessible and open community repository is one of the main draws of the distro.

>>105954479
People are justifiably tired of corpo niggers shitting up every thread all over this board

If you can't read PKGBUILDs and use the AUR, you'll get what you fucking deserve for being a retarded nigger

>>105954563
>reads every PKGBUILD every time he updates

>>105949484 (OP)
Why would you use these shit packages instead of default firefox?

>>105954537
Universal Blue is not corpo shit. It is genuinely good. Nobara is decent for boomers who can't work with immutable distros. AUR is bad.

>>105949484 (OP)
If you're retarded enough to install shit called "fix", "patch", "patched" - then you deserve malware.

>>105954586
Those are not the only packages. A lot more AUR packages were found with the same malware, such as font packages for microsoft fonts and so on. Arch devs are just trying to cover it all up. I bet 100% there are multiple Arch users on /g/ who are affected by AUR malware.

>>105954609
see >>105954612
Those are just the AUR packages from a single user so they are all named like that. Same malware was found in other AUR packages uploaded by a completely different user and they had normal names.

>>105954612
>from an account created 1 day ago and already removed.
woooow, so packages that nobody installed anyway?

>>105949484 (OP)
nothingburger. New packages that no one installed.

>>105954630
There are multiple accounts which had uploaded malware infested AUR packages you disingenuous Arch fag. Kill yourself.

>>105954582
If you use an AUR helper, it will just show you the difference between the new PKGBUILD and the old. Most of the time, it's just a version bump and a different pkgsums

>>105954651
New aur packages that no one installed that were created 1-2 days ago and already removed, dumb jeet.

>I-ITS A NOTHINGBURGERR!!
meanwhile the reality is
>We strongly encourage users [to] take the necessary measures in order to ensure they were not compromised."
>Which would be *what*, exactly?
kekaroooo
>With the current news of possibly dozens of AUR packages hosting a dangerous form of malware, we should probably once again, for yet more reasons, reconsider why so many people point newcomers to Arch-based distributions.
>The amount of "just do this random AUR bro" is insane.
HAHAHAHAHAHAHA
>It just frustrates me when a security advisory says to take action but provides *no* specific, actionable advice on what actions to take. In a sense, that's *worse* than useless. Usually, a security advisory following a breach—which this is!—would include indications of compromise
FUCKING LMAOOO

I don't use Arch, so I can't say anything about it.

>>105954664
>keeps repeating the same thing like a broken radio
Keep pretending. Everyone reading this thread can tell how disingenuous you Archfags are.

>>105954668
aur is not required to use arch wintranny.

>>105954674
keep repeating your lies worthless jeet.

>>105954675
NTA but stop trolling. Everyone knows you Arch users shill AUR as the main reason for using Arch. The more you troll the more I believe the Fedora Red Hat shill.

>>105954684
Fuck off Rakesh. Your AUR malware got exposed.

>>105954668
>>Which would be *what*, exactly?
unless you know for certain that you couldn't have installed any of the infected packages the only safe action is to boot from a different non-infected medium, wipe your system and install everything from scratch

>>105954685
the avg arch user has like max 5 aur packages installed.

>>105954668
Arch Linux is such a joke.

>>105954699
and uses arch for about half an hour before going back to windows and never trying linux again

>>105954699
Stop trolling. See >>105954685.

>>105954668
What is a good alternative to Arch Linux? Should I try OpenPepe TumbleWEED?

>>105954715
Opensuse is good

>>105954709
sure thing.
>>105954715
no arch is still the best distro.

>>105954715
windows 11.

>>105954721
Windows 11 comes with malware pre-installed.

>>105954715
Anything is better than the security nightmare that is Arch Loonix.

>>105954715
Yes, Tumbleweed is the best rolling release distro. Always has been. Arch got popular because of unixporn fags and memes.

>>105952715
>Everyone running Arch Linux is compromised
Only people who installed non-official packages, which will be a minority.

>>105954668
Thank god I stopped using Arch 3 years ago and jumped ship to Opensuse Tumbleweed. Arch has always been a meme when it comes to security.

>>105954725
still less malicious than arch linux.

>>105954748
see >>105954685

>>105954668
>>We strongly encourage users [to] take the necessary measures in order to ensure they were not compromised."
Check if you installed any of the packages.
To be clear, these are not updates to existing packages. These were new packages with malware.
If you were just updating currently installed packages, you wouldn't get these packages. You'd have to have specifically installed one of these packages while they were available.

If Arch is bad, which distro is good? No corporate answers.

>>105954770
>Check if you installed any of the packages.
If you are compromised your logs might have been scrubbed.

>>105954668
Kek, they are so fucking incompetent. No wonder Arch Linux is a hobbyist joke distro.

>>105954755
Yeah, the average Arch user isn't going to go "look a new firefox package I haven't seen before, I'm going to install that".

>>105952753
Add my phone number to whatsapp for important job information for you

>>105954780
>If you are compromised your logs might have been scrubbed.
Possible, but you can just start with going over your memory.
How many new packages (not updates) have you installed on your Linux computers over the past two months?

>If Arch is bad, which distro is good? No corporate answers.

>>105954715
Void Linux is pretty much alt-Arch.

>>105954794
zero. I use mac.

You just know.

>>105954668
>>We strongly encourage users [to] take the necessary measures in order to ensure they were not compromised."
kek
arch "developers" used chatgpt to write this didnt they
lol
lmao, even

>>105954779
Not _too_ many choices out there as far as rolling release goes. I have fairly had good experiences with OpenSUSE Tumbleweed, that is after realizing that the Packman repos are basically mandatory.

>>105954668
>>105954668
>>We strongly encourage users [to] take the necessary measures in order to ensure they were not compromised."
>>Which would be *what*, exactly?
>>It just frustrates me when a security advisory says to take action but provides *no* specific, actionable advice on what actions to take. In a sense, that's *worse* than useless. Usually, a security advisory following a breach—which this is!—would include indications of compromise
This is pathetic. Even if I ignore all the schizobabble ITT then this is enough to make me completely lose any trust I had in Arch Linux. Literal retards are running that asylum. Yeah, I'm out. Void Linux and Opensuse Tumbleweed, here I come.

>using the AUR
BUT WHAT ABOUT DEM FLOSSOFOLLIO FOSSUS APPERINOS?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I NEED MY FLOSS MP3 PLAYERS AND AND AND YEAH FOSS DUDE

>>105954803
Mine is also zero.

>>105954668
Fuck Arch Linux. Piece of shit distro.

>>105954779
Arch and Debian are the only good distros

works on my machine.
ununtu + snap btw.

>>105951619
>Trusting AUR has always been a bad idea.
It's still way better than going to some website and downloading an .exe

>>105954685
We love the AUR because it contains rare stuff that will be hard to track down, install and maintain otherwise.
You don't use the AUR for anything that's in the official repository like any major browser.

>>105954951
>browser browser browser BROWSAAAR
Shut the fuck up already, jesus christ. It is multiple AUR packages, uploaded by multiple users. Learn to read you absolute fucking moron. Holy shit, Arch users are so fucking retarded.

>>105954982
its just one guy
he is doing it on purpose because he knows his aur packages are all full of malware
arch users are such a joke

>>105954951
You must have said the same thing 10 times ITT by now and you keep ignoring the real issue. Your precious Arch is garbage, get over it. And see >>105954685.

>>105954982
He will move the goalpost and pretend that he doesn't use the AUR. It's like clockwork. Just wait for it.

>>105954779
only windows is good everything else is crap

Isn't it equivalent to pulling random obscure container from Docker Hub

Love how literally half the time I see an official arch post/talk it contains "Don't trust the AUR and don't/only very carefully use helpers", I'm always agreeing and reinforcing that, yet I run a script to automatically compile over 100 AUR packages inside a docker container where the build user has root access without a password lol

>>105955079
the absolute state of arch users

jeremy bicha won

post pacman -Qqm

>>105949484 (OP)
Oh it's in aur, nice I don't use that.

>>105955250
that's because you use windows

So did anyone actually install these malware infested packages?

Haven't used arch in years but am planning to go back after using windows
Should I just avoid the AUR entirely?

>>105954685
>Red hat
lets not get crazy

>>105949484 (OP)
>packages on Arch contain malware
>>105952545
>MALWARE PACKAGES FOUND IN ARCH REPOS
stop being deliberately vague, anybody can upload to the AUR

from aur.archlinux.org:
>DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.
>>105952580
are you sure it wasn't just ttf-ms-fonts? ttf-ms-fonts-all was swiped quicker than the ones in OP (as were the other ones in >>105952545)

>>105955239 (Me)
nobody?
am i pwned?

>>105949484 (OP)
>AUR
>Not reading the build file
Do you install random binaries from the internet as well?

>>105949484 (OP)
>zen-browser
CachyOS on suicide watch

>>105949526
Not OP, but it doesn't seem misleading to me.
These were firefox packages, for Arch, which contained malware.
OP even clarified in the post that they were AUR packages and linked to the source.

>>105954912
>Getting it direct from the source is somehow worse than some literal who intermediary
Huh?

>>105955840
I personally do avoid AUR cause of those disclaimers, even when the URLs in the pkgbuild check out. Really you don't actually need the AUR for any of that software, it's just a convenience tool. It's mostly installable without AUR. Microsoft fonts do look a bit complicated to set up manually though but you can copy the steps in the pkgbuild, it links to microsoft directly.I personally do avoid AUR cause of those disclaimers, even when the URLs in the pkgbuild check out. Really you don't actually need the AUR for any of that software, it's just a convenience tool. It's mostly installable without AUR. Microsoft fonts do look a bit complicated to set up manually though.

>>105955985
Accidentally copy pasted same post 3 times lol, bit groggy right now lol

>>105955985
>>105955991
Thanks, I'll just avoid it then.
I'm no beginner with Linux I just had no need for it at home and was forced to use Windows for work
Now I've got some projects I'd like to work on and remember enjoying Arch the most out of the many distros I used

if only the windows 11 LTSC werent shit

>>105955983
AUR is from the source in most cases but you have to verify it actually is from the source as stated here >>105953106

The same goes for .exe installers too, you want to make sure it's the right url and not downloaded from a shady website. But I would say it's easier to accidentally download malware off the AUR than a random google result when searching for .exe installer.

>>105956001
Yeah Arch is the most enjoyable for me too. This is solely a AUR problem and I do think it needs more visible disclaimers and new users should have a better idea of what it is, and the AUR itself should have a modicum of vetting at the very least to prevent blatant malware like this.

>>105955907
the issue is that the subject line didn't say AUR
it could have just as easily said
>AUR packages contain malware
this isn't the site for clickbait bullshit
>>>/global/rules/6
this isn't the board for flamewars (see OP image)
>>105076684

>>105954784
>It's time to browse new packages.
>Oh shit, there's a new firefox patch binary on the aur, I better install it.

>>105954470
In theory I don't hate it, but the reality of compiling everything sucks.

>>105956049
Anyone who thinks like this deserves everything that happens.
RTFM

>>105956059
>>105954470
Funny enough, AUR mostly involves building stuff from source just like Gentoo, although not in these specific cases I think. Difference is you can generally trust Gentoo maintainers more for their ebuilds than randos' pkgbuilds on AUR.

>>105955840
Just use Flathub.

>>105956171
No

>>105955840
>Should I just avoid the AUR entirely?
not necessarily, but definitely avoid random packages like those in the OP. it's retarded to install shit like Firefox from the AUR anyway since it's in the normal repos. if you need to install something it's a good idea to check the PKGBUILD first to see if it pulls from official sources, etc
I have a few AUR packages on my Artix install and I'm fine kek

>>105955840
You can avoid it almost entirely. The only two things I needed it for was Nvidia driver when the main repos weren't updated to the latest driver and it fixed something I needed fixed... and mprime for stability testing.

>>105956261
>>105956294
Thanks, that's what I expected. I'll just do my due diligence.

>>105956294
You can download both of those straight from their sources too without using AUR at all. The only one that looked less straightforward to install without makepkg is microsoft fonts, but it's still doable. I wouldn't even know how to find the download link for that without copying the one in the AUR pkgbuild, but it's a microsoft link so it's legit.

>>105956378
Oh yeah about Microsoft fonts, I will just avoid it and use MacOS fonts as they're easy to get a hold of. In any case, I won't be using Linux for work, just fun, and will spend most of my time in terminal emulators, anyway.

>>105949484 (OP)
>people put malware on the internet
>HOLY FUCKING SHIT ALL DOWNLOADS COMPROMISED WERE FUCKED ITS SO FUCKING OVER
Kill yourself.

>>105955000
>people develop malware for your OS
>HOLY FUCK YOUR OS IS DOOOOOOOMED
Shit son you're fucked better crush your computer into a cube.

>>105955840
No, just dont install newly created packages by new users with weird names without reading the pkgbuild. ppas and other memes are way worse than the aur.

>>105954668
top fucking KeK

>download thousands of exes over the internet
>never got a virus
Meanwhile freetards are getting malware from their official sources. How does this happen?

>>105956644
It's not an official repo

>>105956378
I didn't even know you could do MS fonts from AUR. I just literally copied the fonts folder from my Windows 11 to Arch Linux lol. That's all it took, just copy the folder to the Linux fonts folder.

>>105956649
>everyone is using
>b b but it is not official
Stop making excuses

>>105956659
Do you know what official means?

>>105956644
Not official. Explicitly unofficial. The AUR is linked to on the official website though and is actually a subdomain of the official website, which honestly isn't a good look when there's basically non existent vetting for malware, which is instead offloaded to the user.

>>105956658
Yeah that's actually what they say to do on the Arch wiki if you have Windows installed.

>>105956669
Sounds like it is official but they don't want to pay bills

my brother in christ, that's AUR, just look out what kind of shit you are installing, and always verify GPG key of these bins
official repo was perfectly clean

>>105949484 (OP)
the only people surprised by this are retards who think that arch devs are just pretending when they say that the aur is a steaming pile of shit that shouldnt even be used

>>105949484 (OP)
>Open terminal
>"sudo pacman -S firefox"
>"Proceed with installation? [Y/n]"
>"Yes"
Wow, that was so difficult. I thought I wasn't gonna make it guys..

>>105956873
lol you retards install everything from aur because its more "optimized" HAHAHAHA enjoy your malware while real enterprise distros just werk

>>105956979
>from aur because its more "optimized"
No one says this

So this is the power of the free software

>>105949484 (OP)
>AUR
biggest nothingburger ever, you were already supposed to assume there's Malware on the AUR since it's a community-run thing, if you weren't doing so then it's time to go back to Windows or Mac, because you obviously aren't good with computers.

>>105955892
It's not the real zen browser package though

>>105949484 (OP)
Those are all AUR packages. You're on your own in that space.

>>105956649
>>105956669
filehippo isn’t official yet you don’t find malware on it

>>105949484 (OP)
AUR is awesomes, saaar, install my new cool packages now

>>105957459
Yes? It took one day to be caught

>retards actually install from the AUR without reading pkgbuilds
natural selection at work

>>105952715
Arch is obviously compromised. Powerusers can inspect code, or at least run it through AI and remain safe. Question remains: why not just use another better repo at that point...

>>105949686
Is this an American thing?

Its really stupid to limit access to mobile banking to a single app.

>>105949484 (OP)
another misleading bait thread that works because arch linux users are autistic.
this is like complaining people are getting viruses from running random executables off discord.

>>105958369
sure, if the discord was run and moderated by microsoft

>>105954668
Fuckkkkkk its so over for archtrannies that a new package literally no one used had malware.... as we all know malware doesnt exist in other operating systems. Time to switch to ubuntu!

>>105949484 (OP)
Some tard uploaded few infected packages 3 days ago, got almost instantly detected and deleted. I dont see a problem, using internet in general requires some level of common sense, i dont understand why you cant apply that to AuR. Just use your head, dont install new, unknown packages and if you really have to check source to be sure.

Mint won.

Arch lost.

>>105959015
I asked AI about Linux Mint. Huh?

arch is a fucking meme, having to resort to infested malware aur for basic stuff.

UHHHH ARCH SISTERS????? WINGODS ARE LAUGHING AT US AGAIN????

>>105954685
Arch user here. AUR is painful as fuck to use, and nobody would use it unless they are desperate for some piece of software that's not flatpak or main repo. I used it exactly twice and probably never will again.

>>105958815
see >>105954982

>>105959237
You don't need to though. If it's on the AUR you can do it manually, AUR just adds convenience. I've yet to find an example of something that's very difficult to install manually compared to AUR. Maybe ms fonts without a Windows install to copy from.

Remember when FOSSHub was distributing malware kek

>>105949484 (OP)
This is why I stopped using Arch 8 years ago. I will never trust a community repository, and there are plenty of other distros, like Void and Gentoo, that have everything I will ever need in their official repositories.

>>105959294
I mean it isn't even hard to install windows on a VM or something to get the fonts. I would unironically rather do that then use aur.

>>105954230
This. You have to go and install them manually. Why would you install a literally who package from AUR instead of the official packages? Also, if you install random packages without reviewing them, you are a double nigger. The fact that these malwarefaggots got taken down so fast, means that the arch community is doing ok

>is just a convenience
anon, if you want to build from sauce you better off with gentoo, why cant pacuck have repos like apt or dnf? flourished with software.

This is the same trick GNOME devs use for their "extensions"
>Uhhh...hey guys. I'm missing this feature in GNOME and I--
>Use this GNOME Shell Extension. Now fuck off.
>Oh...Thanks!
2 months later
>Hey guys. So this extension I use for this basic feature I need broke with the recent GNOME updat--
>Stop using extensions! Learn to use vanilla GNOME. Now fuck off.

Now, Arch fags ITT are doing the same thing.
>Hey guys...Should I Arch Linux? I really need all the software in this list--
>Arch has everything!! If you are missing something in the Arch repos then the AUR has got you covered. You won't need to download random .deb files like those Debian & Ubuntu noobs! Even Luke Smith says so! Welcome to Arch!!
>Wow, thanks guys...I guess I will use Arch.
2 months later
>Wtf guys, I just got malware in my computer from the AUR packages I was using...Help!!
>Kek, what a fucking noob. AUR is unofficial and we Arch users don't even use it for anything other than 1 or 2 rare packages. You were supposed to know that AUR is dangerous. This is all your fault!!
>Guys...Wtf...Help me...
>HAHAHAHAHAHAHA ANOTHER NOOB FILTERED BY THE GREATNESS OF ARCH LINUX

>>105959337
The pkgbuild on the AUR has a download link from microsoft's official website to the iso file with the fonts. I don't know how to find that download link without going through the AUR though. But it's a microsoft link, so it's legit.

>>105959429
keeeeek this

>>105958161
Just reading the pkgbuild isn't going to help you when the source files are the problem, you need to check everything.

>>105959429
You don't actually need the AUR to install anything from there, it's just a convenience wrapper. You can download all of that stuff manually. For example nvidia's drivers. They're on the AUR but you can just navigate to Nvidia's website and download and install from there like you would on Windows. If you do it through the AUR you would want to check the pkgbuild to make sure it's pulling from nvidia's site. Maybe there is some package that's really difficult to install without the AUR, I don't know.

>>105959429
This is really it. GNOME has every feature you could ever want if you count GNOME Shell extensions. Similarly Arch has the best package availability out of all other Linux distros if you count the AUR.

Aren't the official Arch repos smaller than even Fedora, let alone Debian, if you stop counting the AUR packages in Arch? Arch shills are so fucking retarded, it's unreal.

Reminder than when Arch used to be "tough" to install for newbs, they were (and still are) told to install Manjaro instead. Then the Manjaro newbs abused the AUR to such an extent that it fucked up the AUR multiple times for everyone including the Arch users. Those same people are ITT right now pretending they don't use the AUR.

>>105959387
Just cuz you're ok with compiling software doesn't mean you want to waste time compiling all software.

>>105959493
>They're on the AUR but you can just navigate to Nvidia's website and download and install from there like you would on Windows.
You have no idea what the fuck you talking about. If you are actually telling people to install Nvidia drivers directly from Nvidia's website then you are a fucking faggot and even your precious Archwiki agrees with me.
See https://wiki.archlinux.org/title/NVIDIA
>Warning: Avoid installing the NVIDIA driver through the package provided from the NVIDIA website. Installation through pacman allows upgrading the driver together with the rest of the system.
This alone is enough to convince that every post you have ITT so far is complete nonsense. You are fucking dumbass who just pretends to know what he is talking about.

This is what an Arch Linux "power user" looks like. Anyone reading this can now see and judge how great the Arch "community" is for themselves.

>>105959519
>Aren't the official Arch repos smaller than even Fedora, let alone Debian, if you stop counting the AUR packages in Arch? Arch shills are so fucking retarded, it's unreal.
yeah, last time i checked they didnt have shit like stellarium, present in every respectable distro, mind you even haiku ported it right, what arch excuse? the problem tho is that arch trannies are now denying the aur even though they shill that crap from time to time.

>>105959429
this. so fucking annoying. this entire thread is pointless. are we now supposed to pretend that the aur wasn't the main selling point behind arch loonix? are we supposed to pretend that e-celebs like luke smith and mental outlaw haven't shilled the aur multiple times on their channels and that is why arch got so popular? fuck off

Why is this thread so full of bullshit? How few IPs are there?

>ability to compile the viruses you run on your PC
Damn, had no idea linux was so strong

is it just a meme or do you really have to constantly miantian certain Linux distros to prevent them from killing themselves?

>>105959603
https://youtu.be/EYiN8vDkacc
20 seconds in and Black Luke Smith calls AUR the "best part" about Arch Linux. Lmao.

>>105959576
Yes that's the default recommendation. But then it says right after that if it doesn't work to use the beta drivers. You can do that either through the AUR or through the nvidia site, it's the same thing in the end because the AUR just pulls from nvidia's website. This is not some controversial thing, maybe the advice wasn't entirely on point for Nvidia (I don't have an Nvidia) card, but I've installed software that was on the AUR without going through it, for example Sublime text.

>>105959607
Shut up. You posted nonsense about install Nvidia drivers on Arch using the Nvidia website >>105959493. I completely btfo'd your ass and now you are seething. You Arch users are so fucking insufferable. You don't know anything and yet you keep pretending like you faggots are some kind of Loonix security experts. You faggots are a cancer. Everyone in the Linux community is sick and tired of your kind.
>>105959638
Holy shit, are you just using ChatGPT to write your posts or what? You were completely fucking wrong. Even the Archwiki said so. Why are you pretending like you know what you are talking about? Do you think writing down random gibberish makes you smarter than you actually are? Shut up already. No, you are NOT supposed to install Nvidia drivers on Arch from the Nvidia website. You retarded faggot. End of discussion. You were wrong.

I bet debian niggers put the virus's in the AUR.

>>105959660
It's right in the pkgbuild, it downloads straight from nvidia

https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=nvidia-beta

source=("http://us.download.nvidia.com/XFree86/Linux-${CARCH}/${pkgver}/${_pkg}.run"

You can do that yourself or through AUR, same thing, but I'm repeating myself.

>>105959660
HOLY MEDS

>>105959638
nta anon but you got cooked
i cant believe you would say that nvidia drivers should be installed on arch from the nvidia website
oh and arch users dont use aur either for installing drivers
do you even use arch linux or are you just trolling?
t. arch linux user

>>105959620
I want to be impregnated by him

>>105959674
Just admit you were wrong. Even Arch users are calling you out for being wrong.
>>105959679
Yeah, I know how to use 4chanX too. You are not as smart as you think you are. Spare me your samefagging schizobabble. Go find another thread.

>>105959681
nvidea-beta is literally one of the most popular packages on the AUR.

>>105959603
Maybe you should stop using github then huh? That malware was literally sitting there under watchful eye of the corporation but you wont complain about github only about something created by the community for the community.

>>105954982
>op brings up irrelevant browser packages as malware
>point out the retardation
>"UMMM ITS OTHER MALWARE THAT I CANT EVEN POINT TO AN EXAMPLE THAT TOTALLY EXISTS"
It's okay ESL-san... Arch is just the superior operating system

>>105959607
>>105959679
Adding to my posts. IDs should be on every board that matters. The lack of IDs and removal of the IP counter has made many boards dominated by shills and samefagging schizos, or everyone gets paranoid and assumes every critical post is by their sworn enemy. Of course 4chan's feedback page has been neutered since the hack, so anons can't even pretend they still have a voice in how the site is run anymore.
>>105959698
THIS PROVES THE ABOVE POINT

>>105959707
that just proves his point that everyone blindly installs random aur packages all the time
do you really think all those people are checking the pkgbuild for every aur package they are installing?
aur is a security risk. that is a simple fact
its a bad system that needs to change
t. arch linux user

>>105959722
>>105959734
Samefagging schizobabble to distract from the AUR fuckup. Every fucking time. Like clockwork. You will just go on a melty now. Wojack spam incoming.

>>105959736
I agree the AUR is a bad look for Arch, I even said so here >>105956669

It's perhaps the easiest way on the internet right now to spread malware.

I was just pointing out that the AUR isn't necessary. It's not some exclusive repository, it just streamlines installing stuff manually.

>>105949484 (OP)
>firefox-"patch"-bin
>librewolf-"fix"-bin
>zen-browser-"patched"-bin
No one gonna fell for this shit

What distro do you use anti Arch schizos?

>>105959746
They're requesting medication

>>105959762
I use Arch but I am considering gentoo atm just to further avoid tranny politics. not sure I've been using arch for 20 years so I might not switch at all. everything looks pozzed now

>>105959762
Arch

>>105959756
>I was just pointing out that the AUR isn't necessary
this is also not useful if you point it out on a random forum thread
again nta but hes right when he says that aur is shilled as the main reason to install arch linux to new users
im not going to pretend that jewtubers and most of the arch community are not shilling aur as this great thing that makes arch linux so much superior than every other distro
this culture really exists and even you know this
the real problem is simple
something like the aur should not exist
t. arch linux user

>>105959768
I already did that and he dug himself in further. He's either trolling or delusional. We need the IP counter and IDs so fucking bad it's unreal.

>>105959775
Gentoo is more tranny than Arch, where do you see Arch team shilling left-wing propaganda like other distros? What are you even talking about?

>>105959768
Anytime someone posts screencaps of their (You)s I immediately know to not take them seriously. Do you really think you are the only one who knows about 4chanX? Even phonefags can easily mark/unmark any post in any thread and change the (You)s easily. This proves nothing. You are the troll.

>>105956059
actually, it doesn't. but I understand that you might feel that way when you're a poorfag without a build server/desktop

>>105952569
Just use OpenSUSE

always funny to see archtroons getting cooked, until next thread faggots!

>>105959823
>where do you see Arch team shilling left-wing propaganda like other distros?
I don't. I meant bad actors targeting Arch due to how popular it is. At this point I'm just considering just compiling every package I need on my own.

>>105952569
Hows that boot taste?

>>105953218
>>105952569
BASÉ

Why would a malware target a freetard? Aren't they all poor neets?

Me sitting here on OpenSUSE Watching arch fags and fedora fags be keyboard warriors

>>105952569
Based Fedora Atomic ENLIGHTENED NIRVANA CHAD

>>105953218
Calling you "Based" would be an understatement. No wonder Archfags went on a gigamelty in this thread. You really hit a nerve, huh? Tch tch tch. This is so sad for the entire Arch Linux community.

>>105959576
>>105959681
Also I never said that you SHOULD download it from the website just that you CAN, without going through the AUR. Probably not the best example though. Nvidia drivers from what I hear are a clusterfuck anyway.

>>105949484 (OP)
PEOPLE ARE MAKING FUN OF US REEEE. DELET THIS.

how much you guys get paid by IBM and redhat? theres no way this amount of shilling its for free

Anyways, does anyone knows whats was supposed to be "patched" on these? and how much was the extend of the malware?

>>105959949
I don't think there was a patch, that was just the name given to the malware to make it look legit. The guy spreading it even started shilling it on reddit so more people would download it.

I removed Arch Linux because of this thread. Sorry bros, I couldn't take it anymore...
I'm installing Void Linux right now.

>>105959970
So he wasnt even trying to pass as legit? lmao what a way to burn your remote control servers

>>105959989
install gentoo

>>105959576
You can't automatically update packages through AUR either, so I don't see your point.

>>105959993
The payload was based on a FOSS project, this was probably babby's first script kiddie adventure.

>>105960062
It was just a cheap gotcha, since in that case there are supported versions of the drivers in the official repos, so obviously those will be recommended by the wiki. But nonetheless a lot of people download unsupported drivers from Nvidia's site or github probably because they work better for certain setups. Most software in the AUR does not have a supported counterpart in official repos, it's just straight up unsupported, but I used one of the few examples where that wasn't the case.

>AUR

>AUR

>>105952569
>>105952646
>>105953218
>>105953482
>>105959887
You guys should be aware that Fedora's build infrastructure (Pagure) has pretty weak security and can be easily hacked to serve malicious packages to users. So you might get malware straight from the official repo, while in Arch at least you're safe if you avoid AUR.

https://fenrisk.com/pagure

Not to mention Fedora's official packages aren't very reliable anyway. For example, they disable Control Flow Integrity, an important security mitigation, on the Chromium package, while Arch enables it.

https://kojipkgs.fedoraproject.org//packages/chromium/138.0.7204.157/1.fc43/data/logs/x86_64/build.log
> is_cfi=false

https://gitlab.archlinux.org/archlinux/packaging/packages/chromium/-/blob/main/PKGBUILD?ref_type=heads#L173

>>105958283
>Arch is obviously compromised
yes. it is canadian made.