Yes. I agree. It’s also much more stable so you don’t spend time troubleshooting. And there’s tons of support and even 3rd party packages available for peripherals and hardware.

That’s what I personally recommend.

That’s pretty sound.

I bet!

Who here has NEVER used the AUR with their Arch install raise your hand. I’ll wait.

Absolutely 100%.

Not to mention it’s in most of the solutions to every problem Arch users face.

There has been approximately 1000 infected packages in the AUR on Arch. And that’s just in the latest incident, because that’s not even the only incident.

Now tell me how many times this happened with PPAs? OR COPR or OBS?

Also, I’m very aware of the xz-utils exploit that happened last year. And do you know what distros were affected? Beta and testing versions of Fedora and Debian, which are not the most widely used versions of these distros. They are not meant for the public, but for developers and testers. However, the latest stable Arch was affected. Here’s the source.

There’s no comparison between this AUR even and the xz-utils backdoor problem that was resolved nearly immediately and hasn’t happened again. Meanwhile the AUR keeps getting infected and, like I mentioned, there’s been several occurrences of this.

Ubuntu relies on the community to be notified of problematic PPAs, and these are resolved swiftly. I cannot recall the last time there was an incident with a PPA because they are so rare. So, again, there is no comparison to make.

And who reads the PKGBUILD scripts??? Most users don’t bother. And that’s the problem.

I’ve been using Linux for 26 years and have even worked for a distro myself. Arch is a great Linux distro if you want to build a lean distro with bleeding edge shit. But, it’s vulnerable to vulnerabilities due to it being too bleeding edge with little oversight and malware through the AUR. If you want to use this, then by all means, go ahead.

But my gripe is with this, and other communities, where people are pitching Arch or Arch-based distros to nearly everybody as the de-facto go-to, especially if you’re into gaming. And I have a problem with that. I also have a problem with its users that will blindingly defend this distro and outright refuse to see the problems, like it’s some kind of cult.

Well then stop recommending Arch or CatchyOS to every new user that comes in here looking for a gaming Linux distro ffs.

That is some gatekeeping bullshit right there.

LOL!

All these Arch fanboys just can’t accept ANY criticism of their favourite Linux flavour. “IT’S THE BEST OKAY? EVERYBODY SAYS SO! IT’S THE BEST BECAUSE IT’S HARD TO USE AND ALL THE SOFTWARE IS BLEEDING EDGE AND MY SYSTEM BREAKS HALF THE TIME I DO AN UPDATE BUT THAT’S NORMAL LINUX SHIT OKAY? AND I USE THE AUR BECAUSE I KNOW WHAT I’M DOING EVEN THOUGH MY SYSTEM IS INFECTED OKAY?”

This! 👆

You completely missed the point.

Debian or Fedora don’t need an AUR because vendors provide the packages themselves. And you know where they’re coming from. You have the largest collection of software packages available, plus the 3rd party official packages available to download.

As for the PPAs, they’re often provided by the software distributor themselves. Like Proton, or Wine. Most of the time you know who’s providing the PPA. Ubuntu also keeps a close watch over these and will act if a malicious PPA is found. It won’t take a lot of time before the PPA is taken down to prevent the spread. So it’s relatively safer than a free for all repo where everybody is contributing and unmaintained packages get taken over. So, no. PPAs are not more dangerous than AUR.___

You kind of have to have guardrails though. Especially with the recent migration from Windows 11 to Linux, a lot of gamers, mostly younger and/or inexperienced users, are being recommended Arch via CatchyOS. And a lot of the advice they get involve enabling the AUR and getting their required software from there. Some of the troubleshooting documentation also provides instructions using the AUR. It may not come with Arch, but it sounds to me like it’s pretty indispensable.

On the other hand, you have people saying that Arch isn’t for new users. That you have to be careful when using AUR and how dangerous it is. You have to know what you’re doing.

So then why is it recommended so much? I feel like every other comment when people are asking questions on which Linux flavour to use the answer is always “just use Arch/just use X variant of Arch”. And when I talk about using another distro like Debian, people on Linux communities get really critical and ask “this distro sucks, why don’t you just use Arch/Catchy/X variant?”

So which is it? Is it for everyone or not? Is it safe to use or not? Should anybody be using it or not?

The comments are really conflicting with each other here.

And honestly if we’re going to recommend Arch/Catchy/Whatever to new Linux adopters, there ought to be guardrails. Or don’t recommend Arch. And DON’T recommend using AUR. Try other workarounds instead of taking the easy AUR solution. You don’t simply give a loaded gun to someone who wants to do target practice without any precautions or anything to prevent them from hurting themselves or others. Maybe recommend an air-soft gun with some eye-protection goggles instead for target practice initially and let them learn the basics of firearm manipulation using that before moving on to the real deal.

Hahahahaha they also come in Debian .deb and Fedora .rpm packages. That’s why I never got this problem with my hardware on Ubuntu or Debian.

And no it’s not the same as PPAs.

Versatile, sure.

But Arch is anything but simple. The proof is the number of Arch spinoffs that were made to make it easier to install and use.

And any distro can be for competent Linux users. I mean, Linus Torvalds uses Fedora. I don’t think theres a more competent user than him.

100%

But this is the problem. It’s like if Microsoft provided Windows with Limewire as a solution to download software. There’s bound to be people who are going to exploit it for malicious reasons, and there’s bound to be idiots who are going to fall for it. Heck, there’s the possibility that even someone who knows what they’re doing might also get caught at some point.

It’s dangerous and irresponsible.

No, it just happened to be my instance.

As a side note, for some reason, I can’t see any comments inside any post on this community. That’s why I have to reply though my lemmy.ca alternate account.

In control of installing malware?

I get what you mean, but people are stupid. There needs to be guardrails to prevent these things from happening. That’s why the AUR is a bad idea and it should be shut down.

You want your software to be available for a distro? Go through the proper channels. Submit it for review and get it approved. If you stop maintaining it, they remove it. Plain and simple.

That’s why you don’t have this problem with other distros. Arch made it too easy to download and install unverified, untested, potentially malicious software through the AUR and now every idiot that thinks they know what they’re doing are infecting their systems.

I’ve been a Linux user for 26 years. I made distros for hardware manufacturers. I know very well the distinctions between the AUR and the regular Arch repos and the parallel with Debian’s.

With Arch, the problem is that the AUR is available in the first place and is very easy to enable. People, especially new users, won’t necessarily understand what they’re getting into when enabling it and getting packages from there. A lot of the advice people get online suggest to get packages from AUR. So Arch users are bound to use it at some point.

And if you add to that the fact that the standard repo has bleeding edge package versions with minimal testing means that vulnerabilities can also get introduced. And it’s happened before. This affected Arch, OpenSUSE Tumbleweed, Fedora, but you know what distribution wasn’t affected? Debian stable and Ubuntu LTS.

And on top of that, I’m not even going to mention how unstable it is and how even just making updates is risky on Arch. You have to be on your toes all the time and you can end up with a broken system at any time. For a main PC operating system, I find that absolutely unacceptable. At least Manjaro tried to improve on this.

Valve switching to Arch makes sense though. They moved to Arch because they wanted the most up to date software and drivers available with a faster release cycle. Then control what versions they push to their devices. They keep a tight control over what gets updated by curating their own repositories. So it’s not purely Arch either. It’s Arch-based. You can expect software to be a little older on Steam OS.

In any case. For me, Debian is the solution. I’m looking for stability and security. It has a huge repo with practically every software under the sun. There’s tons of documentation and support and a huge community. For me the distribution works OOTB without any hitch. I just know that I won’t spend time troubleshooting something on my time off. I already do a lot of this during work.

Being behind a few releases isn’t that bad, honestly. At least you’re certain it’s going to be well tested and the majority of problems have been ironed out. And there’ll be documentation already on how to fix things or work around certain missing features if that ever occurs. It’s much less of a hassle.

LOL! I’m not THAT old hahahahaha!

But that sounds about right. I work in IT and troubleshoot IT problems all day. The last thing I want to do is troubleshoot my PC when I get home. I just want an OS that works. Debian is the best in that regards.