KDE Linux Drops AUR

Jun 04, 2026

KDE Linux developers have dropped the Arch User Repository from the build pipeline due to security concerns; other distributions should consider doing the same.

For many, the Arch User Repository (AUR) has given Arch Linux (and its children) a huge boost in available software applications. The AUR serves as a community-driven software repository that allows users to share, build, and install applications that aren't found in the official Arch repositories.

The biggest problem with the AUR is that it's unvetted, which has led to poorly written apps, broken scripts, developer exclusion, a fragmented community, and (even worse) malware.

Now, to be clear, the KDE Linux developers have dropped the AUR in the build pipeline, which doesn't preclude users from using it.

"AUR has a substantially lower level of security than the packages in Arch's main repos. Malware has been discovered in AUR packages multiple times recently," Nate Graham, KDE Plasma Developer, stated in this work items post. He continued, "AUR has occasional downtime, and this blocks the packages pipeline, which means people who depend on git master staying current end up with stale content. The last outage lasted multiple days, from 2025-08-12 through 2025-08-15."

Graham also noted that the AUR violates the "no packaging knowledge required to develop it" and breaks distro agnosticism.

The AUR has been problematic for some time now. In highly publicized supply-chain attacks, bad actors uploaded malicious packages impersonating legitimate software (like browsers or google-chrome-stable). The Chrome instance installed CHAOS Remote Access Trojan (RAT) on unsuspecting users' systems.

The AUR is like playing a game of dodgeball: It's not a matter of if but when that red rubber ball is going to smack you in the face. If you are going to use AUR, then consider adopting these practices: Check the PKGBUILD script, as it dictates where the software is downloaded from (and what commands are executed), check the source=() array and ensure the links point to an official upstream website or GitHub repository, verify that checksums (e.g., sha256sums) are included, and look out for unfamiliar commands that are run as root and check any/all install scripts for malicious hooks.
 
 

 
 
 
 
 
 

Related content

  • Arch Linux

    If you’re looking for a fast, stable system without the GUI goo, try Arch Linux.

    more »
  • Arch Installers

    Arch's manual installation maximizes flexibility and teaches you about your system, but if you're in a hurry, you might want to try a Live installer like Architect Linux or Arch Anywhere.

    more »
  • Understanding Arch

    Arch is one of those Linux distributions that everyone knows about but few know well. Now is the time for a closer look.

    more »
  • This Month's DVD

    Manjaro 21.3.7-220816 and Arch Linux 2022.10.01

    more »
  • News

    In the news: openSUSE Joins End of 10; New Version of Flatpak Released; IBM Announces Powerhouse Linux Server; Plasma Ends LTS Releases; Arch Linux Available for Windows Subsystem for Linux; System76 Releases COSMIC Alpha 7; OpenMandriva Lx 6.0 Available for Installation; and TrueNAS 25.04 Arrives with Thousands of Changes.

    more »
comments powered by Disqus