Arch Linux

7777 readers

1 users here now

The beloved lightweight distro

founded 4 years ago

MODERATORS

k_o_t@lemmy.ml

AUR is cool... but scary (lemmy.sdf.org)

submitted 1 year ago by OneCardboardBox@lemmy.sdf.org to c/archlinux@lemmy.ml

10 comments fedilink hide all child comments

Last night while updating my system, I noticed that a random aur package my system depends on was orphaned in the aur. It's some random deep-down dependency of another AUR package, and it's not received any upstream commits in a while. Nice and stable, just needed an owner. I decided to adopt the package before someone else did.

It was kinda scary how simple it is to adopt an orphaned package. Create AUR account... click an email link... Done. If someone wanted to squat the package for malicious purposes, it would be stupidly simple.

I get that this is a problem for all community repos, not just AUR (npm, anyone?), but it's still an unsettling prospect. I feel like it goes unacknowledged some times.

you are viewing a single comment's thread
view the rest of the comments

[–] hallettj@beehaw.org 0 points 1 year ago (1 children)

Hmm, that's a good point. Were you able to take over the existing package? With npm and some other self-publishing repos you can squat a name that hasn't been taken, but an existing package cannot be taken over without the original owner's credentials.

[–] OneCardboardBox@lemmy.sdf.org 1 points 1 year ago* (last edited 1 year ago)

I had full control over the pkgbuild as soon as I uploaded an ssh key to my AUR account. I did end up pushing a small update that fixed a missing download link, but I could just have easily changed the download artifacts. I know that some AUR helper encourage users to check pkgbuild diffs, but I'm sure many (most) people skip that step.