You are not logged in.

#1 2016-01-23 02:09:56

yxliang01
Member
Registered: 2015-11-13
Posts: 2

Is downloading source code from AUR and ABS as secure as official repo

Is downloading source code from AUR and ABS as secure as official repo? As far as I know, PKGBUILDs from AUR can be uploaded by anyone while ABS and official repo(extra, community etc...) can only be uploaded by  authorized users.

Offline

#2 2016-01-23 02:31:38

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 13,167

Re: Is downloading source code from AUR and ABS as secure as official repo

I would venture that the official repositories are safer than the AUR.   There are technical controls in place to ensure you run what the developers and TUs put in place.  Anyone can put anything in the AUR.  That is specifically why you should audit any AUR package before you install it.  AUR packages could be deliberately belligerent,  or they could suffer by having someone who is clueless writing them.

OTOH, I always audit things I load from the AUR.  I never audit things from core, extra, or even community.  I guess I trust the developers.  I also guess I trust the TUs.  Do you?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
You assume people are rational and influenced by evidence.  You must not work with the public much. -- Trilby
----
How to Ask Questions the Smart Way

Offline

#3 2016-01-23 02:38:55

yxliang01
Member
Registered: 2015-11-13
Posts: 2

Re: Is downloading source code from AUR and ABS as secure as official repo

Thanks. Sounds like I can't install lots of packages without spending lots of time on it.

ewaller wrote:

I would venture that the official repositories are safer than the AUR.   There are technical controls in place to ensure you run what the developers and TUs put in place.  Anyone can put anything in the AUR.  That is specifically why you should audit any AUR package before you install it.  AUR packages could be deliberately belligerent,  or they could suffer by having someone who is clueless writing them.

OTOH, I always audit things I load from the AUR.  I never audit things from core, extra, or even community.  I guess I trust the developers.  I also guess I trust the TUs.  Do you?

Offline

#4 2016-01-23 11:21:01

Head_on_a_Stick
Member
From: Asteroid B-612
Registered: 2014-02-20
Posts: 3,867
Website

Re: Is downloading source code from AUR and ABS as secure as official repo

Always read the PKGBUILD before running `makepkg` wink


_0_
__0
000

Offline

#5 2016-01-23 12:10:59

slithery
Member
Registered: 2013-12-01
Posts: 792

Re: Is downloading source code from AUR and ABS as secure as official repo

[pedantic]Source code is never downloaded from the AUR or ABS, it's downloaded from the locations specified in the source array in the PKGBUILD.[/pedantic]

Last edited by slithery (2016-01-23 12:23:08)

Offline

Board footer

Powered by FluxBB