Is there any validation/review before the submission of a AUR package?

RyanTest · 2024-03-02 11:28:51

Arch Linux is my favorite Linux distribution due to the minimalism it offers, allowing me to build my system exactly how I want it. However, I have concerns about security when downloading packages from the AUR. I always make sure to carefully review the package build scripts.

I would like to know if there is any kind of validation or review process before a package is submitted to the AUR. Are packages held for a while for checks before being made available? Additionally, I'm interested in learning about best practices for securely downloading packages from the AUR.

WorMzy · 2024-03-02 11:42:06

Nope. There are packaging guidelines, and while failure to comply with them may result in a package being removed from the AUR, it doesn't prevent them being submitted in the first place. The AUR is governed by a small team of volunteer 'trusted users' (now called Package Maintainers) who mostly rely on user-submitted reports and mailing list messages to alert them to possible problem packages/users.

See also: https://wiki.archlinux.org/title/Arch_User_Repository

Fuxino · 2024-03-02 18:29:05

RyanTest wrote:

Additionally, I'm interested in learning about best practices for securely downloading packages from the AUR.

I'd say best practice is doing what you are already doing, i.e. check the PKGBUILD before building and installing the package.

Last edited by Fuxino (2024-03-02 18:29:21)

Arch Linux

#1 2024-03-02 11:28:51

Is there any validation/review before the submission of a AUR package?

#2 2024-03-02 11:42:06

Re: Is there any validation/review before the submission of a AUR package?

#3 2024-03-02 18:29:05

Re: Is there any validation/review before the submission of a AUR package?

Board footer