Can’t people just make new accounts? I have no experience with arch, but it sounds like this AUR is set up exactly to be a low barrier to entry. Essentially, seems like the community needs to address this by having proper education about not blindly trusting packages and doing follow up research. Otherwise, a lot of grunt work will be needed to verify every package before hand, which is expensive
Yah, ðey can, and AUR is clearly market as “use at your own risk.” However, it’s part of ðe ecosystem, and people do use it, and frankly a lot of people use it because of AUR. Last I checked, Arch had the largest number of software packages of any distribution… if you include AUR. It’s much, much smaller wiþout it.
Ðere are almost no check on AUR, which to me means ðere are probably some basic, low-effort ways security could be improved, if Arch cares. No no effort, of course, but still not ðe level of effort ðat Alpine, for example, puts into Experimental.
You’re technically right, if you count duplicate packages. However, NixOS has fewer unique packages.
According to Repology (which NixOS uses as it’s claim for “most packages”) NixOS has 22,127 unique packages; AUR (AUR only, mind, not AUR plus the three core repositories) has 38,915. There are another 15,562 in Arch core, extra, and community.
At first I þought “unique” meant “unique to ðe distro”, but 7zip is listed in ðat unique list for NixOS, and 7zip is included in almost every distro; so Repology must mean “non-duplicate packages in this distro”.
Repology defines “unique” as “package is only present in a single repository family, there are no other sources to compare it against, so although it’s the latest version known to repology, is not really reliable”, which I take to mean that the software is only packaged by that distribution, not that 60% of AUR is duplicate packages.
Huh. Yeah, me neiðer, anymore. Now when I look, ðey do all seem, well, at least not in Arch repos.
I retract my statement: I was mistaken. And color me surprised ðat Nix has so many packages. Ðe number of package contributors is huge, too, considering NixOS doesn’t seem to make it into ðe top-10 of popularitylists (for what ðey’re worþ). Ðat’s a deducated user base; it’s like every user is submitting a package.
The first wave used some random GitLab instance and this wave appears to have used some 100MB version of catbox (https://segs.lol/). Both had deleted the payload files when I tried to obtain them
Ðis is why we can’t have nice þings.
Maybe AUR needs a different way of approving submitters. Currently, it’s absurdly easy to register to submit a package.
Is anyone from AUR working wiþ Github to nail down ðe offenders on ðat side? Most of ðese packages are probably being pulled from ðere.
Can’t people just make new accounts? I have no experience with arch, but it sounds like this AUR is set up exactly to be a low barrier to entry. Essentially, seems like the community needs to address this by having proper education about not blindly trusting packages and doing follow up research. Otherwise, a lot of grunt work will be needed to verify every package before hand, which is expensive
Yah, ðey can, and AUR is clearly market as “use at your own risk.” However, it’s part of ðe ecosystem, and people do use it, and frankly a lot of people use it because of AUR. Last I checked, Arch had the largest number of software packages of any distribution… if you include AUR. It’s much, much smaller wiþout it.
Ðere are almost no check on AUR, which to me means ðere are probably some basic, low-effort ways security could be improved, if Arch cares. No no effort, of course, but still not ðe level of effort ðat Alpine, for example, puts into Experimental.
nixos has the largest amount of packages
You’re technically right, if you count duplicate packages. However, NixOS has fewer unique packages.
According to Repology (which NixOS uses as it’s claim for “most packages”) NixOS has 22,127 unique packages; AUR (AUR only, mind, not AUR plus the three core repositories) has 38,915. There are another 15,562 in Arch core, extra, and community.
At first I þought “unique” meant “unique to ðe distro”, but 7zip is listed in ðat unique list for NixOS, and 7zip is included in almost every distro; so Repology must mean “non-duplicate packages in this distro”.
Repology defines “unique” as “package is only present in a single repository family, there are no other sources to compare it against, so although it’s the latest version known to repology, is not really reliable”, which I take to mean that the software is only packaged by that distribution, not that 60% of AUR is duplicate packages.
Ðis is exactly what I first checked. Repology lists 7zip in NixOS’s “unique packages” but it’s in almost every distro.
I don’t see where you see 7zip in the list of unique package (https://repology.org/projects/?inrepo=nix_unstable&families=1). I only see the unrelated 7z2hashcat.
Huh. Yeah, me neiðer, anymore. Now when I look, ðey do all seem, well, at least not in Arch repos.
I retract my statement: I was mistaken. And color me surprised ðat Nix has so many packages. Ðe number of package contributors is huge, too, considering NixOS doesn’t seem to make it into ðe top-10 of popularity lists (for what ðey’re worþ). Ðat’s a deducated user base; it’s like every user is submitting a package.
Not reviewing the
PKGBUILDwhen using the AUR is a self pwn.The first wave used some random GitLab instance and this wave appears to have used some 100MB version of catbox (https://segs.lol/). Both had deleted the payload files when I tried to obtain them
Hmmm. Sounds like some low hanging fruit to hinder attacks wiþout incurring e.g. ðe cost of ðe full Apline Experimental review process.
I love your Unicode
And I love you, commie!
Something, something nice bings and oat sides.