There has been approximately 1000 infected packages in the AUR on Arch. And that’s just in the latest incident, because that’s not even the only incident.
Now tell me how many times this happened with PPAs? OR COPR or OBS?
Also, I’m very aware of the xz-utils exploit that happened last year. And do you know what distros were affected? Beta and testing versions of Fedora and Debian, which are not the most widely used versions of these distros. They are not meant for the public, but for developers and testers. However, the latest stable Arch was affected. Here’s the source.
There’s no comparison between this AUR even and the xz-utils backdoor problem that was resolved nearly immediately and hasn’t happened again. Meanwhile the AUR keeps getting infected and, like I mentioned, there’s been several occurrences of this.
Ubuntu relies on the community to be notified of problematic PPAs, and these are resolved swiftly. I cannot recall the last time there was an incident with a PPA because they are so rare. So, again, there is no comparison to make.
And who reads the PKGBUILD scripts??? Most users don’t bother. And that’s the problem.
I’ve been using Linux for 26 years and have even worked for a distro myself. Arch is a great Linux distro if you want to build a lean distro with bleeding edge shit. But, it’s vulnerable to vulnerabilities due to it being too bleeding edge with little oversight and malware through the AUR. If you want to use this, then by all means, go ahead.
But my gripe is with this, and other communities, where people are pitching Arch or Arch-based distros to nearly everybody as the de-facto go-to, especially if you’re into gaming. And I have a problem with that. I also have a problem with its users that will blindingly defend this distro and outright refuse to see the problems, like it’s some kind of cult.
There has been approximately 1000 infected packages in the AUR on Arch. And that’s just in the latest incident, because that’s not even the only incident.
Now tell me how many times this happened with PPAs? OR COPR or OBS?
Also, I’m very aware of the xz-utils exploit that happened last year. And do you know what distros were affected? Beta and testing versions of Fedora and Debian, which are not the most widely used versions of these distros. They are not meant for the public, but for developers and testers. However, the latest stable Arch was affected. Here’s the source.
There’s no comparison between this AUR even and the xz-utils backdoor problem that was resolved nearly immediately and hasn’t happened again. Meanwhile the AUR keeps getting infected and, like I mentioned, there’s been several occurrences of this.
Ubuntu relies on the community to be notified of problematic PPAs, and these are resolved swiftly. I cannot recall the last time there was an incident with a PPA because they are so rare. So, again, there is no comparison to make.
And who reads the PKGBUILD scripts??? Most users don’t bother. And that’s the problem.
I’ve been using Linux for 26 years and have even worked for a distro myself. Arch is a great Linux distro if you want to build a lean distro with bleeding edge shit. But, it’s vulnerable to vulnerabilities due to it being too bleeding edge with little oversight and malware through the AUR. If you want to use this, then by all means, go ahead.
But my gripe is with this, and other communities, where people are pitching Arch or Arch-based distros to nearly everybody as the de-facto go-to, especially if you’re into gaming. And I have a problem with that. I also have a problem with its users that will blindingly defend this distro and outright refuse to see the problems, like it’s some kind of cult.