I’m thinking about switching to a Firefox fork as a web browser. Apart from Tor, they’re all on AUR. I can’t use Tor all the time.
Do you consider that a security risk that’s worth worrying about? E.g. you could get a dodgy maintainer putting malware in it, as least theoretically.
You must log in or register to comment.
could get a dodgy maintainer putting malware in it, as least theoretically.
Yes, that could be possible. But this has nothing to do with the type of application you want to get from the AUR.
It’s actually quite easy, because none of the PKGBUILD files are actively checked before publishing them, neither are the programs that are built from them or the packages that you install.
PKGBUILD files are basically shellscripts. Authors can do whatever they want in that scripts. If they want to run
rm -rf /*, no-one is stopping them.This is why you always should read the whole script before running
makepkgand examine the./pkgdirectory’s contents after you did and before installing the package.Basically you’re asking if it’s safe to install anything from AUR, and there are answers to that aplenty.
No one’s job is to screen PKGBUILD of AUR packages so it’s technically not safe to use them. That being said the large community is keeping an eye on these packages and, while problems are not fully preventable, malicious stuff are caught pretty quickly.
So, to contrast with my first statement, one could argue that it’s mostly safe to use AUR. That’s even more true for packages used by a ton of people because issues/risks will be flagged almost immediately should they ever exist. That’s the case for browsers, especially when developers themselves offer an AUR package (like Librewolf: https://librewolf.net/installation/arch/).
Packages from the AUR basically do what is written in the PKGBUILD and install script so that’s why everyone will instruct you to learn about that before installing AUR packages with an helper. That’s too much for some people though and at the end of the day you also have to trust the person who wrote the source code and which is compiled locally.
Nothing is 100% safe. I personally have 96 AUR packages installed because there’s no other packages available (this includes stuff like my windows manager, python tools, 3D slicer, web browser…).
Very confusing phrasing, but are you just talking about the stock Arch package repo? It’s as safe as I stalling the OS in the first place. The browser is as much a risk as any other package you’ve already installed from the main repo.
They’re referring to Firefox forks which are available only in the AUR and not from the main repos. In that case there can be a level of risk, but you can manually review the PKGBUILD of whatever package you end up installing to verify that it’s not doing anything fishy when pulling sources.
Apart from that, you may also want to look into potentially installing a Flatpak. This still comes with some risk if it’s not official (packaged and published by the original devs), but AFAIK there’s at least some sort of vetting process for packages to be accepted into Flathub.
Yes, that’s what I’m referring to. Thanks, I’ll try Flathub. Manually reviewing the PKGBUILD is beyong my capabilities.
For something like a browser, you don’t even need to “install” at all. You only need to acquire the standalone/portable executable from the browser developer’s official website. For example you get Waterfox from https://www.waterfox.net/download/. If you read the PKGBUILD, even if you can’t see through all the potential malicious tricks you’ll at least find that that’s basically all it claims to do: download a binary from official website and put it somewhere. In this case “installing” means using root permissions to stick it in /usr/bin, so all users on the computer can run it. But since almost all home computers only have a single user, you can skip having to give it (temporary) root access by saving it in your home directory instead. I also run the binary inside its own Firejail so it doesn’t even have access to my personal files. You are always trusting someone, be it the Arch maintainers, the AUR contributors, or the independent browser developers, but this way the least number of parties get the least number of permissions.
