Hacker News new | ask | show | jobs
by Barrin92 333 days ago
Just by taking a glance at the most popular packages (https://aur.archlinux.org/packages)

Pretty much every browser that isn't Firefox including Chrome, VS Code, most proprietary software like Slack, Zoom, Spotify, many vpn clients and password managers, a lot of them seemingly not published by the companies in question.

All of those ancillary password, vpn or security related products who aren't going to be in the main repo because they have proprietary elements and also rely on random people seems particularly bad. And there's a lot of software in that category.
3 comments
BearOso 333 days ago
Chrome is in the main repos as chromium. VS Code is the "code" package. I don't know what vpn clients you're referring to, but networkmanager is built-in and has support for openvpn and wireguard.

Yes, proprietary software has to be installed separately, but for things like cloud password managers you're already putting your trust someplace else. You're also not likely to be hit by out of these flyby attacks, because the stuff people want is popular and has people watching it constantly and reputable people maintaining it. These patch/fix packages are suspicious looking and probably didn't have a single person touch them.

link
WD-42 333 days ago
And what distro does package those?

That's what Flatpak is for. If you must install crappy proprietary software, at least get an official package from the developer.

link
homebrewer 333 days ago
> And what distro does package those?

nix, which has its own share of problems.

link
abacate 332 days ago
> nix, which has its own share of problems.

Care to elaborate?

link
homebrewer 333 days ago
Some of those packages (like Brave) are maintained by original developers, it depends on the package.

Most aren't, but it's trivial to review changes to packages (all good AUR helpers show the diff on upgrades, an 99% of time the changes are hash and version, nothing else).

So you only need to check the package once, which the documentation reminds you to do about fifty times. Otherwise — play stupid games, win stupid prizes.

If the package has any popularity at all, you will get lots of paranoid users who will eat you alive and report to Arch maintainers right away if you do anything suspicious, try to link a binary from some weird website instead of the upstream URL, or even just omit the GPG signature verification key when it's available.

link