Arch Linux

8190 readers

35 users here now

The beloved lightweight distro

founded 5 years ago

MODERATORS

k_o_t@lemmy.ml

Safe to use a browser installed from AUR? (lemmy.sdf.org)

submitted 1 day ago by erici@lemmy.sdf.org to c/archlinux@lemmy.ml

10 comments fedilink hide all child comments

I'm thinking about switching to a Firefox fork as a web browser. Apart from Tor, they're all on AUR. I can't use Tor all the time.

Do you consider that a security risk that's worth worrying about? E.g. you could get a dodgy maintainer putting malware in it, as least theoretically.

you are viewing a single comment's thread
view the rest of the comments

[–] wwwgem@lemmy.ml 9 points 1 day ago* (last edited 1 day ago)

No one's job is to screen PKGBUILD of AUR packages so it's technically not safe to use them. That being said the large community is keeping an eye on these packages and, while problems are not fully preventable, malicious stuff are caught pretty quickly.

So, to contrast with my first statement, one could argue that it's mostly safe to use AUR. That's even more true for packages used by a ton of people because issues/risks will be flagged almost immediately should they ever exist. That's the case for browsers, especially when developers themselves offer an AUR package (like Librewolf: https://librewolf.net/installation/arch/).

Packages from the AUR basically do what is written in the PKGBUILD and install script so that's why everyone will instruct you to learn about that before installing AUR packages with an helper. That's too much for some people though and at the end of the day you also have to trust the person who wrote the source code and which is compiled locally.

Nothing is 100% safe. I personally have 96 AUR packages installed because there's no other packages available (this includes stuff like my windows manager, python tools, 3D slicer, web browser...).