this post was submitted on 29 Dec 2023
33 points (100.0% liked)
Arch Linux
7764 readers
5 users here now
The beloved lightweight distro
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Do you categorize AUR packages (if you didn't verify the PKGBUILD on every update) as untrusted?
Yes. AUR package maintainer(s) are additional people who can add malicious code (or someone else can by compromising their account).
I know that almost nobody treats it this way but the number one rule of AUR is that it's pretty much all untrusted, by definition.
Same goes for any unofficial flatpak, right? And that is most of them.
In order from the most to the least secure: