Exactly. I can understand them not installing a browser by default as part of their “principled stance against social media”, but blocking the install entirely is WILD. I also do wonder how they actually do that though… Just a list of “known browsers” and blocking their install? It’s Linux - what if we fork a browser and rename it “totally not firefox”, would it even catch it?
My distro (Garuda) included a couple back when I originally installed it, but doesn’t use them currently (namely wine-nine - which was affected) but the built-in system update didn’t touch AUR unless you explicitly tell it to, so that saved my bacon in this situation (my AUR packages hadn’t been updated in 2 months).
I 100% agree with this. This is SO CLOSE to getting it and offering a phone I actually want. But I want to own my devices and decide what I do on them. The thing hard locking me out of a browser (and discord) is unfortunately a deal breaker. I don’t want the hardware mfr to have a say in how I use the device and treat me like a literal child in the process. It’s disappointing.
Chaotic is not just as problematic, thankfully. They have systems in place to flag suspicious changes for human review before letting them out and it has, so far, prevented them from shipping any compromised updates.
I thankfully hadn’t updated anything from the AUR for a couple of months (it doesn’t happen by default when I update the rest of my system) and was unaffected, and after looking at the list of things I had from the AUR, I didn’t need any of them… So I now have zero AUR packages on either of my systems.
Eh, depends really. The AUR is not the default place to install software from, it’s all user created and comes with warnings almost anywhere you have access to it. I’ve generally used Octopi to install packages and you have to jump through some hoops to even have it show you packages from the AUR. Generally, running updates for the system, from the Arch flavors I’ve used anyway, by default doesn’t update packages installed from the AUR and you generally update them deliberately and separately. As an example, on my Garuda systems I only have 3 packages installed from AUR and they are so rarely used I forget about them a lot… I’m a bad sysadmin for myself and they don’t get updated nearly as often as the main system packages.
But, do other people use their system differently? Absolutely. They have likely ignored several warnings (or read them and accepted the risks) to get there though.
I am not at home (and work is stuck on windows) so I can’t verify with 100% certainty… But I believe what I did was pacman -Qm to list the AUR packages. Then I did pacman -Qi <package_name> to list the details about why it was installed, what dependencies it has, what depends on it, and when it was last updated. Mine showed like 2 years prior (whenever I installed the OS) because there hadn’t been any update to it in years (until the attack). If your date for last updated is recently, you probably have a problem.