- Yeah, I've been trying to get away from the AUR too. Besides switching to alternatives from the main repo like you, I've also been using AppImage, Flatpak, brew and cargo. I think the only main AUR package remaining for me (not counting dependencies) is chawan-git.
As for keeping updated on the situation, I've been following the news in the Arch Linux discord and the Github page which had the AUR malware scanning script.
- Thank you very much! I've found alternatives or removed about 30 packages. The only AppImage I have is Librewolf, no Flatpaks.
- I think you overreact. Sure there were a few hundreds of compromised packages, but obviously it's a small percentage of all AUR. Maybe also some of them were really popular like Dropbox, but still you can check.
- Might be fun to do if you are unemployed, but since you've mentioned a job it's better to just read the install script for the high level overview then install it manually.
The general idea is to find a small set of programs, in a more supported set that serves your usecase. So you learn more about a smaller number of programs. Downside is that you are now able to rewrite your entire system in a single language.
- I've succesfully uninstalled yay and removed all the packages, and am still employed. Most were zombies and stuff that could be replaced. Rest is from Arch main repos.
- What's wrong with Dropbox?
- It's installed from AUR, which has been compromised.
https://www.phoronix.com/news/Arch-Linux-AUR-400-Compromised
- [flagged]
