• baseless_discourse
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    7 months ago

    I stay away from AUR because it is completely unsandboxed and unmonitored.

    To be fair, I don’t believe flathub is constantly monitored, but at least it is (somewhat) sandboxed, if I set everything up in flatseal.

    I have recently replaced my final .tar.gz app (git-credential-manager) with the builtin github extension of codium, and removed my final two ostree overlay with flatpak sdk extensions.

    I am now happy (except I can no longer gpg sign my commit… https://github.com/flathub/com.vscodium.codium/issues/105 )

    • derpgon@programming.dev
      link
      fedilink
      arrow-up
      2
      ·
      7 months ago

      I mean, there are two options: You either don’t have the technical knowledge or time to install it yourself and thus you’d are fucked, or you don’t have the technical knowledge to read through the AUR and make sure it is safe and you could be fucked.

      Or, a third option for the gurus: You build it yourself, but then you might aswell read through AUR and save yourself time.

      • baseless_discourse
        link
        fedilink
        arrow-up
        2
        ·
        7 months ago

        Ideally you would install app directly from the app developer, who you are trusting by using their app; or your distros maintainer, who you are trusting by using their OS.

        The use of AUR and/or unverified flathub app adds an additional person to trust, that is the person packaging these apps. flathub is slightly better as the app is sandboxed, so the damage they can cause is confined.

        Unfortunately, AFAIK, there is no store for sandboxed command line apps, this is one of the reason I like to minimize my command line usage. So that I don’t need app that isn’t packaged by my distro maintainer (like oh-my-zsh) to improve my cli experience.