@Wolf480pl @infosechandbook @rysiek Frankly I don't think the devs get off by giving such a warning. People use Arch *for* AUR and everybody knows that. If everyone really did the due diligence they were expected to with AUR packages, Arch would have so few users nobody would take it seriously as a distro.
@brtln @Wolf480pl @infosechandbook @rysiek I don't know about COPR or OBS, but with PPAs and any equivalent Debian-like thing, the distro provides decent tools, and you add (and therefore trust) one repo/publisher at a time. This is not true of AUR, where the level of inconvenience for providing each package means most users just use something like yaourt, which doesn't distinguish among publishers.
They are not the same and I'm really disappointed that you think they are.
@freakazoid @rysiek @infosechandbook @Wolf480pl I'm more disappointed that you fail to see how it is the exact same thing, except in Arch you have actually a way to inspect what is going to build. Whatever you find decent about PPA, it is a service allowing to build any arbitrary code, distribute it, and Ubuntu provides an easy way (so much easier than in Arch) to install it. You are naive if you think that regular user sees a difference between publishers even if the warning is bold and red.
Welp, folks, here you have it. This is how Arch devs react to news of malware in their own repo.
It's not devs' fault that some users recommend it to other their friends in a wrong way, or to friends who shouldn't be using Arch.
Look, if I bought a cheap WinCE-based car navigation, and sold it to you saying it's an iPad, would you be mad at me, or at the manufacturer?
But it's my own damn fault for not realizing from the beginning that "Arch is meant to be convenient for developers" meant *only* Arch developers, not any other developers.
@Wolf480pl @rysiek @infosechandbook This is a really terrible attitude. Open source developers cannot escape all responsibility for their software, even if "responsibility" just comes in the form of reputation. Depending on whether other Arch devs react the same way, this could be a big black eye for the whole project.
@Wolf480pl @rysiek @infosechandbook I never claimed they didn't have this right. It's just disappointing. As much because it's made me realize that I've been lazy and sloppy to be relying on AUR to make up for Arch's lack of packages all this time. I would have dropped it soon after adopting it since unlike you I generally have 10-20 AUR packages installed at any given time. I'd much rather trust a couple PPAs.
@infosechandbook @rysiek @Wolf480pl But frankly if they didn't want the reputation in the first place they should have been much more firm about not using AUR tools, saying something like "If you can't use AUR without using yaourt or another convenience wrapper, you shouldn't be using Arch at all."
Maybe they have and I haven't seen it, but I have spent a lot of time in their (excellent) docs even for non-Arch problems.
IMO One of the biggest advantages of Arch is that it assumes the user is always right. It obeys the user.
If you put big fat warnings and require --i-really-want-to-install-stuff-from-aur --i-know-aur-helpers-are bad options, then it'll lose all its value. It'd become another Windows.
@bob @freakazoid @rysiek @infosechandbook
dunno, but I have circumstantial evidence that at least some of its users are not at the level of expertise that Arch was meant for. Or maybe it's not about expertise, but about attitude? About willingness to understand what's going on under the hood, and keep it simple and under control.