could get a dodgy maintainer putting malware in it, as least theoretically.

Yes, that could be possible. But this has nothing to do with the type of application you want to get from the AUR.

It’s actually quite easy, because none of the PKGBUILD files are actively checked before publishing them, neither are the programs that are built from them or the packages that you install.

PKGBUILD files are basically shellscripts. Authors can do whatever they want in that scripts. If they want to run rm -rf /*, no-one is stopping them.

This is why you always should read the whole script before running makepkg and examine the ./pkg directory’s contents after you did and before installing the package.

No one’s job is to screen PKGBUILD of AUR packages so it’s technically not safe to use them. That being said the large community is keeping an eye on these packages and, while problems are not fully preventable, malicious stuff are caught pretty quickly.

So, to contrast with my first statement, one could argue that it’s mostly safe to use AUR. That’s even more true for packages used by a ton of people because issues/risks will be flagged almost immediately should they ever exist. That’s the case for browsers, especially when developers themselves offer an AUR package (like Librewolf: https://librewolf.net/installation/arch/).

Packages from the AUR basically do what is written in the PKGBUILD and install script so that’s why everyone will instruct you to learn about that before installing AUR packages with an helper. That’s too much for some people though and at the end of the day you also have to trust the person who wrote the source code and which is compiled locally.

Nothing is 100% safe. I personally have 96 AUR packages installed because there’s no other packages available (this includes stuff like my windows manager, python tools, 3D slicer, web browser…).

Do you know how to install without a helper? Go through the wiki and build the package for a couple apps and then uninstall if you like. I don’t know everything that’s going on, but I can somewhat tell if it doesn’t seem crazy. If you get a component that looks strange, just look it up on the AUR or official repos.

Yes, there’s more risk in the AUR than “official”, but the AUR is one of the greatest parts of arch. I’d the app you’re installing seems active with comments and users, I bet you’re fine.

There’s a lot of people out there doing this waaaaay smarter than me. If it got past all of them too, then I probably never stood a chance to avoid whatever it was. I also understand malware on the AUR to be very uncommon. I happened 1x in something like the last 5-10 years and was discovered and down in under day. (I could be remembering wrong).

I’d also say think a bit. If you find “the official Firefox” first posted today with no comments and a link to some Eastern European language wish-looking version of Git….i mean download that shit. Add to root users group and save the password! * if you don’t know where the last part got sketchy and sarcastic, you may want an os with more guardrails.

Basically you’re asking if it’s safe to install anything from AUR, and there are answers to that aplenty.

There’s always a security risk, however if you are referring to librewolf from the AUR I would say it’s “safe”?

It has 160 votes and a popularity of 14.73* which means there’s a good chance someone more capable then we are, already looked at the PKGBUILD.

That’s not a 100% proof of reliability but it’s a good pointer to a healthy AUR build.

*The bin package has even more votes and popularity. It’s the recommended way, because the other package compiles from source and can take a long time !

Very confusing phrasing, but are you just talking about the stock Arch package repo? It’s as safe as I stalling the OS in the first place. The browser is as much a risk as any other package you’ve already installed from the main repo.