Ask HN: Is anyone else leaving AUR?

I'm spending a lot of my time removing AUR packages for alternatives in the official Archlinux repositories.

I've shifted from Dropbox to RClone, from acpilight to brightnessctl, from spotify to spotify-launcher and so on.

Has anyone else having the same trust problem? Also, how do you stay updated with the situation?

I work in a corporate environment and malware is a no-go.

4 points | by lordkrandel 8 hours ago

3 comments

d3Xt3r 6 hours ago
Yeah, I've been trying to get away from the AUR too. Besides switching to alternatives from the main repo like you, I've also been using AppImage, Flatpak, brew and cargo. I think the only main AUR package remaining for me (not counting dependencies) is chawan-git.
As for keeping updated on the situation, I've been following the news in the Arch Linux discord and the Github page which had the AUR malware scanning script.
cui 8 hours ago
What's wrong with Dropbox?
[-]
- lordkrandel 7 hours ago
  It's installed from AUR, which has been compromised.
  https://www.phoronix.com/news/Arch-Linux-AUR-400-Compromised
  https://wiki.archlinux.org/title/Dropbox
casey2 5 hours ago
Might be fun to do if you are unemployed, but since you've mentioned a job it's better to just read the install script for the high level overview then install it manually.
The general idea is to find a small set of programs, in a more supported set that serves your usecase. So you learn more about a smaller number of programs. Downside is that you are now able to rewrite your entire system in a single language.