Hacker News
Ask HN: is anyone else leaving AUR?
- Category: Pulse
- Status: discussion
- Sources: LWN analysis, Arch Linux incident notice, Ask HN
- Summary: LWN published a detailed analysis ("AURpocalypse now") of the multi-wave AUR malicious-package campaigns on 2026-06-19, and a separate Ask HN thread asks whether users are moving off the Arch User Repository. Together they reflect practitioner trust erosion following the supply-chain incident tracked since 2026-06-11.
- Comments: The LWN write-up walks the orphaned-package adoption vector and the PKGBUILD npm-install payload mechanism; HN commenters weigh AUR helpers' trust model against vetting binary repositories.
- Why it matters: Sustained distrust of a community package source pressures distribution maintainers on orphan-package adoption and review policy.