[eek2121]

Funny enough, I thought this earlier about Arch Linux and it's deritives. It was mentioned on reddit that they operate on a small budget. A maintainer replied that they have very low overhead, and the first thought that popped into my mind was that most of the software I use and rely on comes from the AUR, which relies on the user to manage their own security.

If engineers can't even manage their own security, why are we expecting users to do so?

[mcgrath_sh]

I'm shocked it is most of your software. I think I have under a dozen AUR packages. It has been that way for about a decade. I added a couple for gaming recently (mostly because Lutris just crashes for me), but nearly all of my software comes from the official repos.

[demaga]

Same for me. I learned about AUR before installing Arch, but went months before installing my first package from there.

[fa3556]

I think this criticism is unfair because most common packages are covered by the core and extra repos which are maintained by Arch Linux. AUR is a collection of user build scripts and using it has a certain skill cliff such that I expect most users to have explicit knowledge of the security dangers. I understand your concern but it would be weird and out of scope for Arch to maintain or moderate AUR when what Arch is providing here amounts to little more than hosting. Instead Arch rightly gives the users tools to moderate it themselves through the votes and comments features. Also the most popular AUR packages are maintained by well known maintainers.

The derivatives are obviously completely separate from Arch and thus are not the responsibility of Arch maintainers.

[anon7000]

Disagree. AUR isn’t any trickier than using pacman most of the time. Install a package manager like Yay or Paru and you basically use it the same way as the default package manager.

It’s still the same problem, relying on the community and trusted popular plugin developers to maintain their own security effectively.

[fa3556]

I understood GP's point to be that because Obsidian leaves a lot of functionality to plugins, most people are going to use unverified third party plugins. On arch however most packages are in core or extra so for most people they wont need to go to AUR. They are more likely to install the flatpak or get the appimage for apps not in the repos as thats much easier.

yay or paru (or other aur helpers afaik) are not in the repos. To install them one needs to know about how to use AUR in the first place. If you are technically enough to do that, you should know about the security risks since almost all tutorials for AUR come with the security warnings. Its also inconvenient enough that most people wont bother.

In obsidian plugins can seem central to the experience so users might not think much of installing them, in Arch AUR is very much a non essential component. At least thats how I understand it.

[tomsmeding]

> Its also inconvenient enough that most people wont bother. > in Arch AUR is very much a non essential component.

While somewhat true, we are talking about a user who has installed Arch on their machine. If a user wanted to not bother with installation details, they would've installed Ubuntu.

[seaal]

The Arch-based distros that most normies will install have AUR helpers instaled by default.

I can't even install Brave without the AUR.

[zer00eyz]

> If engineers can't even manage their own security, why are we expecting users to do so?

This latest attack hit Crowdstrike as well. Imagine they had gotten inside Huntress, who opened up about how much they can abuse the access given: https://news.ycombinator.com/item?id=45183589

Security folks and companies think they are important. The C suite sees them as a scape goat WHEN the shit hits the fan and most end users feel the same about security as they do about taking off their shoes at the airport (what is this nonsense for) and they mostly arent wrong.

It's not that engineers cant take care of their own security. It's that we have made it a fight with an octopus rather than something that is seamless and second nature. Furthermore security and privacy go hand and hand... Teaching users that is not to the benefit of a large portion of our industry.

[marcosdumay]

> It's not that engineers cant take care of their own security.

I dunno. My computer has at least 1 hardware backdoor that I know off, but that I just can't get hardware without any equivalent exploit.

My OS is developed with a set of tools that is known to make code revision about as hard as possible. Provides the bare minimum application insulation. And is 2 orders of magnitude larger than any single person can read on their lifetime. It's also the usable OS out there with best security guarantees, everything else is much worse or useless.

A browser is almost a new complete layer above the OS. And it's 10 times larger. Also written in a way that famously makes revisions impossible.

And then there are the applications, that is what everybody is focusing today. Keeping them secure is close to useless if one don't fix all of the above.

[dehugger]

You never actually told us what your OS is.

[dotancohen]

Because that would be a distraction to the point they're actually making.

[dehugger]

The point is thoroughly undermined since we can't judge the veracity of their claims

[dotancohen]

And discussing the specifics of whatever OS GP uses is exactly the type of OT he was wise enough to avoid.

Personally, I think he uses Emacs.

[Alive-in-2025]

They must mean macos, right?

[dehugger]

I think you could find a dozen different operating systems that someone, somewhere, would say similar about.