I unfortunately live in an area where we’re not taught about safety devices and safe “browsing”. My parents were uneducated about modern safe browsing methods and so I had to explore the aur for myself and make my own mistakes and deal with infections I was unprepared for. Thanks for posting this Brodie I couldn’t resist the euphemisms. /s

I would love to see the same mentality toward vim plugins. It seems like a lot of people got the memo on AUR packages, but not yet for vim plugins. Nobody reads the diffs :)

Good basic instructional video Brodie. IMO, too much AUR will eventually break something on a newby setup. Always best to stick to the pacman repo as much as possible. When not possible, the AUR kicks butt and makes life quick and easy.

Thank you for this vid Brodie, starting to test Manjaro and saw a few things missing. Now I know a little more about what to watch out for

I use AUR as a Manjaro (GASP!!!) Unstable user. I'm watching this, 'cause it was in my feed :P

Great tutorial on how to critically think about what you are installing.

11:27 Nah, if someone really wanted to ship malware, putting it only in the pre-compiled artifacts and not in the public source code would definitely be harder to detect. Also, the build machine could have been compromised, etc. Still, if you don't trust the developer, you probably shouldn't be installing the software in the first place.

I recently spent some time learning how to use steamtinkerlaunch & ended up needing to use the AUR to install it bc all the other options were WAY too involved for me, & I wondered about this kind of thing at the time! These are great tips; I think they'll be easy to remember and probably make me feel a little bit less like I could be playing with forces I don't understand, lol.

Yes, I like this video! 👍 Thanks!

Sweet, so to slip a keylogger into the AUR, I need to make sure the download URL, developer name, and install script check out. I'll assume nobody will bother to read the source if it's ugly enough. Not that this isn't good advice - it's just a shame that I can't use my expensive sliver of magical melted sand to comprehend and manage what the package can or can't do. Like, we need a lavamoat for system packages.

I like using pamac as my AUR helper because I like how it DDoSes the AUR.

Now i want to learn the same about flatpaks and snaps.

I have no idea why I am watching this video - subscribed.

Well I am an AUR helper user... Even on my arch homeserver I now use an AUR helper. Just doing the updates and making sure the zfs scripts like sanoid stays up to date is reason enough for me. So my tactic on the AUR and the mess you can get, is that I try to use it as sparingly as possible... But the ZFS snapshots stuff just became super needed to avoid data paranoia so...

Not to heavily actually, most of the packages are actually from the main repo or chaotic-aur

the only problem i have ever had on the aur is an application that hasnt been updated in a long time and just doesnt do anything. nothing has ever broken my system

@7:05 can you do a video on the hikarujs package it looks interesting.

What is your paru config? The review screen with the file tree looks pretty cool

As someone who avoids using the AUR unless absolutely necessary, I think you may be overestimating how many arch users bother with the AUR and especially how many chose arch because of it.

What if the maintainer of an already installed aur package changes and the new maintainer suddenly does "bad things" ? You should "always" check that everything is still OK before you update an already installed package!

I like to listen to the high-pitched voice of this boy 😅😅😅

I dont know what should i choose? An binary AUR packages ungoogled chromium i.e ungoogled-chromium-bin OR a repo from Opensuse special for Arch Linux. Github page from both sources are the same.

Back when I was using Debian, I wrote a utility in bash to look for packages using fzf (script ==> fzf to find the right package ==> install) Nowadays I use a package called parui that works almost the same way (no fzf ☹️) and it's pretty great It is dependent on paru afaik so keep that in mind

What kind of tea do u drink bro? im sipping on some chocolate mint right now but in the mornings i do love me some earl grey or english breakfast :)

i want to see cli tools for installing aur pkgs doing more of these checks automatically. because when you really work it out, a lot of the stuff you are manually checking here in this video... it could be given output to flag and inform the user. kindda like a linting process. for example if the src repo url is not an identified domain or self hosted that could print out a notification line in a shade of yellow. to prompt the user to manually check. or if the github repo is a fork. or if the github username does not match the aur username. then how many comments. and can automatically score those aur comments with sentiment analysis tool. and the upvotes. and then if flagged for deletion that could be printed in red color. all so many of these checks can and should be automated. with verbosity levels as to how much details to print. and user settings to decide how paranoid you want to be. another feedback on cli can be to tell the user if the package maintainer is not using or has not enabled 2fa. since this is also another good extra security measure. to stop insecure aur accounts from getting hijacked. the same thing should in fact also extend to the repo accounts of the src on github or gitlab. we need reporting that those upstream accounts where we are actually fetching the software from... the end user must also be told whether those developer accounts are being secured properly by 2fa. so that (again) the person downloading can decide and the ability to choose what their own local security policy is they want to follow. this is especially important for open repos like aur. were anybody out there can submit software and packages

When you install on paru you don't need the -S

Personally, I have no idea why I watched this video. I mean I basically do the same thing with npm packages, so I guess I agree with you magic arch man.

the AUR is 100% safe, no problem what so ever, just as safe as android's store :D ..... I use Arch BTW

I have a few aur packages and I host the code on my own server. I have no idea if anybody has actually read the code to see if it's actually not malware.

Eyy you are

review launches lf? do share this.

If installing random software is wrong, watching random YT videos (like this one) must be wrong too. 🤔 I need to rethink my entire internet usage.

You know, training an AI to scan the AUR for malicious pkgs and flagging them would be a tremendous help. Just saying...

so for every package you want to install from the aur, you should audit the package build script? sounds like a bit of a hassle. is there any kind of reputation or rating system for aur package authors? or is that too easy to game with bots?

No thanks, i prefer [testing] [chaotic-aur].

I am a fedora user, and I feel it's kind of, unnecessary? But hey good luck

Now WHAT I DO WITH 1000s of PACAGES i installed from aur with out looking at anything.... :(

just use nixpkgs bro

heres how i keep myself safe when using the AUR. 1. Clone the AUR repo. 2. edit and modify PKGBUILD and get rid of libsystemd,systemd dependencies, 3. then install with makepkg -si. Systemd for most if not all of the packages are just garbage and basically unnecessary for package functionality.

8:30

The thing I don't like about aur is that some people put there their work and you are unable to install it because it asks for password. Why is it then there?

I see many people stating that they barely use the AUR and I simply don't trust them. There's basically no benefit to Arch when we discard the AUR. There are plenty of up-to-date distros like Fedora that would get the job done better than AUR-less Arch

virgin check install script vs chad test build installer

Do You Wanna my Sincere Opinion? Arch Linux Sucks..its just a "Linux Mint Slackware For Hipsters",this distro is for Masochists thats wanna be cool,but never will be cool....The Real World Linux distros are 100% muche Better....

github cody_learner aurch