npm, yes. Snap and flatpak? No. I’m not saying it’s impossible to get malware. The difference is that snapd and flatpak have various levels of process isolation that largely mitigates any potential issues.
The argument isn’t “Linux doesn’t have malware”, the argument is “you don’t need to run antivirus on Linux”. Those are two very different things.
Not even the best antivirus will protect you completely, at that point you need good computer hygiene.
Eh. Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all. I don’t use ubuntu/snapd so can’t speak to that.
There are more protections on flathub than the AUR for sure - the AUR is closer to just downloading random shit off the internet than a true repository. That said, it’s crazy to assign the vulnerabilities of the AUR to Arch as a whole… The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.
Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all.
You’re not wrong, but even with the AUR it’s (last I checked/heard) a problem with orphaned packages being picked up by random users, and then a “new” PKGBUILD with the malicious bits getting uploaded.
The reality is that even if everyone just blindly updated through yay this whole time, very few people would be affected because the number of orphaned packages installed is very low. The package managers tend to bug you about orphaned packages.
The difference with Flatpaks and the Snap Store is that you can’t just take ownership over an abandoned project. You’d have to create your own. And since Canonical is in charge of the Snap Store, they’re quick to react to any sort of security issue.
the AUR is closer to just downloading random shit off the internet than a true repository
Ultimately that is what it is. Because some packages are grabbing files from just about anywhere.
The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.
And that’s really the key. The AUR is bleeding edge with “here be dragons” philosophy. Like I said in my previous comment, if you can’t accept those dangerous (work computer, sensitive data, etc) then simply don’t use Arch.
If you use snap, or flatpaks, or npm, or anything like that you run the same risks.
npm, yes. Snap and flatpak? No. I’m not saying it’s impossible to get malware. The difference is that snapd and flatpak have various levels of process isolation that largely mitigates any potential issues.
The argument isn’t “Linux doesn’t have malware”, the argument is “you don’t need to run antivirus on Linux”. Those are two very different things.
Not even the best antivirus will protect you completely, at that point you need good computer hygiene.
Eh. Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all. I don’t use ubuntu/snapd so can’t speak to that.
There are more protections on flathub than the AUR for sure - the AUR is closer to just downloading random shit off the internet than a true repository. That said, it’s crazy to assign the vulnerabilities of the AUR to Arch as a whole… The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.
You’re not wrong, but even with the AUR it’s (last I checked/heard) a problem with orphaned packages being picked up by random users, and then a “new” PKGBUILD with the malicious bits getting uploaded.
The reality is that even if everyone just blindly updated through yay this whole time, very few people would be affected because the number of orphaned packages installed is very low. The package managers tend to bug you about orphaned packages.
The difference with Flatpaks and the Snap Store is that you can’t just take ownership over an abandoned project. You’d have to create your own. And since Canonical is in charge of the Snap Store, they’re quick to react to any sort of security issue.
Ultimately that is what it is. Because some packages are grabbing files from just about anywhere.
And that’s really the key. The AUR is bleeding edge with “here be dragons” philosophy. Like I said in my previous comment, if you can’t accept those dangerous (work computer, sensitive data, etc) then simply don’t use Arch.