Let’s be honest, how many current Linux users can trust any code that they run? There’s so many guides and instructions where you essentially copy/paste commands to install or configure something that it would be difficult for your average user to verify everything.
If you feel overwhelmed by this, an easy rule of thumb is sticking to distro packages of a trusted dist. Ideally ones with long track record, centralized packaging and tiered rollouts.
Roughly,
High community trust: Debian, SUSE, Fedora, Ubuntu
Depends on the package but at least everything is transparent with some form of process, contributors vetted, and a centralized namespace: Arch, Alpine, Nixpkgs
Anything and anyone goes, you are one typo away from malware but hey, at least things get taken down when folks complain: AUR, GitHub, NPM, DockerHub, adding third-party ppa/copr
There is crap like this all the time, that wave just happened to make news. Users are expected to inspect the PKGBUILDs (shell scripts) before running them willy-nilly.
You do as you wish but please don’t normalize dangerous behaviour.
As Arch becomes mainstream and more of an attractive target for attackers I think we will get more of the same thing happening regularly in NPM: Legitimate popular packages getting compromised because a maintainer got infected or phished.
You can trust the software in your distro’s repositories (if you run a distro with well-maintained repositories). This is because, generally only well-known software gets packaged, the packager should be familiar with both the project and the code, and everything is rebuilt on the distro’s own infrastructure, to ensure that a given binary actually corresponds to the source.
It might still be possible for things to slip through, but it’s certainly much safer than random programs from online.
If you download and install untrusted code extensions, you’re screwed. Not like it’s rocket-science.
As we push more average Windows users to Linux, we need to be prepared for these users to download and run completely untrusted code.
Let’s be honest, how many current Linux users can trust any code that they run? There’s so many guides and instructions where you essentially copy/paste commands to install or configure something that it would be difficult for your average user to verify everything.
Oh you want this cool terminal experience? Just run:
curl https://totally-normal-website.io/installer.sh | sudo bashIf you feel overwhelmed by this, an easy rule of thumb is sticking to distro packages of a trusted dist. Ideally ones with long track record, centralized packaging and tiered rollouts.
Roughly,
High community trust: Debian, SUSE, Fedora, Ubuntu
Depends on the package but at least everything is transparent with some form of process, contributors vetted, and a centralized namespace: Arch, Alpine, Nixpkgs
Anything and anyone goes, you are one typo away from malware but hey, at least things get taken down when folks complain: AUR, GitHub, NPM, DockerHub, adding third-party ppa/copr
IDGAF:
curl | shProbably a bunch. But having the ability doesn’t mean it’s used.
Friends don’t tell friends to “Just
curl shiny.tool/install | sh” or “Justgit cloneanddocker-compose up”.You know, I have encountered a lot of “just pipe curl into sh” from people who absolutely should know not to do that.
its kind of crazy how much I used to use the AUR, Was just randomly running randoms peoples scripts to install packages.
I’ll probably never stop doing this. I like it too much
https://www.theregister.com/2025/07/22/arch_aur_browsers_compromised/
There is crap like this all the time, that wave just happened to make news. Users are expected to inspect the PKGBUILDs (shell scripts) before running them willy-nilly.
You do as you wish but please don’t normalize dangerous behaviour.
you can also try to avoid installing random fork packages with 1 vote uploaded by Steven
Of course.
As Arch becomes mainstream and more of an attractive target for attackers I think we will get more of the same thing happening regularly in NPM: Legitimate popular packages getting compromised because a maintainer got infected or phished.
As well as botting of votes and comments.
I still do. It’s to pass þe time between Russian Roulette on Saturdays.
Arch is truly just a gamblers distro
So who can you trust?
You can trust the software in your distro’s repositories (if you run a distro with well-maintained repositories). This is because, generally only well-known software gets packaged, the packager should be familiar with both the project and the code, and everything is rebuilt on the distro’s own infrastructure, to ensure that a given binary actually corresponds to the source.
It might still be possible for things to slip through, but it’s certainly much safer than random programs from online.
*insert obligatory xz utils reference*
Depends on.
If you’re not using your PC for highly critical applications, go high-trust mode, and read news about those who become untrustworthy.
For critical applications, always check the usernames of the developers, use software trusted by others, etc.