You are not logged in.

#1 2016-01-23 02:09:56

yxliang01
Member
Registered: 2015-11-13
Posts: 2

Is downloading source code from AUR and ABS as secure as official repo

Is downloading source code from AUR and ABS as secure as official repo? As far as I know, PKGBUILDs from AUR can be uploaded by anyone while ABS and official repo(extra, community etc...) can only be uploaded by  authorized users.

Offline

#2 2016-01-23 02:31:38

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 14,709

Re: Is downloading source code from AUR and ABS as secure as official repo

I would venture that the official repositories are safer than the AUR.   There are technical controls in place to ensure you run what the developers and TUs put in place.  Anyone can put anything in the AUR.  That is specifically why you should audit any AUR package before you install it.  AUR packages could be deliberately belligerent,  or they could suffer by having someone who is clueless writing them.

OTOH, I always audit things I load from the AUR.  I never audit things from core, extra, or even community.  I guess I trust the developers.  I also guess I trust the TUs.  Do you?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
----
How to Ask Questions the Smart Way

Offline

#3 2016-01-23 02:38:55

yxliang01
Member
Registered: 2015-11-13
Posts: 2

Re: Is downloading source code from AUR and ABS as secure as official repo

Thanks. Sounds like I can't install lots of packages without spending lots of time on it.

ewaller wrote:

I would venture that the official repositories are safer than the AUR.   There are technical controls in place to ensure you run what the developers and TUs put in place.  Anyone can put anything in the AUR.  That is specifically why you should audit any AUR package before you install it.  AUR packages could be deliberately belligerent,  or they could suffer by having someone who is clueless writing them.

OTOH, I always audit things I load from the AUR.  I never audit things from core, extra, or even community.  I guess I trust the developers.  I also guess I trust the TUs.  Do you?

Offline

#4 2016-01-23 11:21:01

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 4,290
Website

Re: Is downloading source code from AUR and ABS as secure as official repo

Always read the PKGBUILD before running `makepkg` wink


Arming ConditionNeedsUpdate...

Arch Linux Help Guide   •   How to report a problem

Offline

#5 2016-01-23 12:10:59

slithery
Member
Registered: 2013-12-01
Posts: 1,391

Re: Is downloading source code from AUR and ABS as secure as official repo

[pedantic]Source code is never downloaded from the AUR or ABS, it's downloaded from the locations specified in the source array in the PKGBUILD.[/pedantic]

Last edited by slithery (2016-01-23 12:23:08)

Online

Board footer

Powered by FluxBB