Some security best practices before installing packages

What is AUR?

Arch User Repository, also known as AUR, is a major part of the Arch Linux ecosystem. It’s a community-driven repository for the Arch Linux system that hosts a number of packages outside the official Arch Linux package database.

What is AUR helper

AUR packages are redistributed in form of PKGBUILDs and need an AUR helper to automate the re-build process.

What’s the problem?

AUR is community driven and anybody could upload their pkgbuild for apps that they like. The problem is we cannot trust everybody in community, not all have good intention there are several incident where malicious user have uploaded malicious packages in AUR.

AUR helpers are making this problem even worse making users lazy and allowing them to install packages from AUR with help of a single command and many users don’t tend to look at build package.

Best practice

I would recommend everyone here to read PKGBUILDs confirm it’s not malicious and then install it on your system via yay or makepkg. You can usually view PKGBUILDs scripts in AUR website itself.

This also exists with PIP for Python and NPM for NodeJs

Developer’s out there too should check before installing dependency from internet because they too are community driven but here package itself is not malicious but it could run malicious post install scripts and hijack your device or infiltrate sensitive information. For details I’m leaving an interesting blog about it. Dependency Confusion

Bonus

AUR is luxury feature of Arch based distribution and everyone is loving it. But now some developers are working on AUR-inspired package manager for Ubuntu. Pacstall GitHub Pacstall offical website

Where you shouldn’t care about this

Places like Playstore, Appstore, default repositories of various linux distribution and official website of those packages. They are verified and tested so you don’t need to worry about it at all.

I would like to know how many of you are checking scripts before you install packages from internet?

If you like this kind of content drop a like it will encourage me to write more.

4 Likes

I do add one single advice:

Treat the AUR (and similar things) like downloading a random .exe/.msi on Windows.

You already trust your distro provider to NOT spy on you, to not have broken packages and so on. Any community driven is even worse. On some you can simply upload an install script without any intervention.
And this just gets worse on less used packages.

While the AUR and similar options are amazing, they also are probably the easiest way to get access to your system (virus).

1 Like

Arch: the only distro where security-conscious people seem okay with homebrewing anything and everything :joy:

3 Likes

I admit it its true :sob:

1 Like