All good! You sound like you’re on the right path. I have like 3 or 4 flatpaks installed hahaha

All that a flatpak is is a distro-agnostic release of a package. They contain all the binaries and libraries to run on any distro. They’re also sandboxed from the rest of your OS unless you give them permission to interact with it. Being that they contain everything for all of Linux means slightly larger file size, but that’s not so much of a problem as it was in the old days.

I install flatpaks via terminal, same as I do for official repos stuff and the AUR. I was never a fan of GUIs for really anything on Linux other than my file browser, but especially not for updating or installing packages. There’s too many prompts and dependencies.

I’ve been doing a lot of reading online tonight about this whole ordeal. Someone mentioned CachyOS “makes it easy to install apps” or something in that vein as in it utilizes one click solutions for installing, so to speak. If these point to the AUR without checks and balances then yeah I could see that being quite a disaster.

I’m not sure I follow what you mean about better flatpak integration. Arch and flatpak play pretty nicely together as it is. It’s just my experience that a lot of the more random and niche software I want is only available via the AUR and not flatpak.

Ultimately though, the AUR is the arch user repository. As in, it’s maintained and contributed to by users, not the Arch Linux team that develops the distro. They provide plenty of warnings about using it at your own risk, and while it’s certainly a big part of the appeal for the distro, it’s no surprise that something that’s basically the wild West will get a little unruly at times.

Yeah I’ve ran a few, including that one. Also manually checked all my AUR packages against the list and there are a few that are close, but not explicitly called out. Like filebot47 is an orphaned package and was called out as malicious, but I have regular filebot which is (I hope) ok. It seems the attackers were taking over orphaned packages and claiming themselves as a maintainer, which they were automatically granted after 2 weeks. I understand the idea of being able to contribute and work together in the Linux development world but this can be a recipe for disaster if left unchecked. It sucks people will take opportunities like this to inflict some real harm.

The only AUR packages I have are some of the more popular ones, and it’s only because that’s the only place I saw them available. I might look and see what I can install via flatpak if not in the official repos from now on.

I did and it returned two hits for clang19 and compiler-rt19. They were on my PC for about a month from March to April. I’m not gonna lie, I don’t even know what those are, probably a dependency for something.

Fortunately they installed from the official repos according to my log. So I think I’m ok

I updated last night fuck my chungus life