With the recent AUR supply-chain attack that compromised over 400 (and possibly up to 1,500) packages, I’m seriously considering switching distros. Attackers took over orphaned packages and modified PKGBUILDs to pull in malicious npm dependencies like atomic-lockfile, which deployed credential-stealing malware and even eBPF rootkits. The fact that the trusted packages themselves didn’t look malicious makes this especially concerning.
Like many Arch users, I’ll admit I don’t carefully read every PKGBUILD before installing from the AUR. The official recommendation has always been to review them manually, but realistically, who does that for every package? This incident made me realize I’ve been relying on trust rather than vigilance.
I’ve been on Manjaro for years specifically because of the AUR’s vastness, but this attack directly undermines that selling point for me. I ran the Distrochooser to see what else is out there, and it strongly recommended openSUSE as my top match: https://distrochooser.de/en/d5b4e0067841/
For those who’ve made the jump from Arch/Manjaro to openSUSE Tumbleweed (or Leap): How was the transition? How does the OBS compare to the AUR in terms of package availability for niche software?
I tried OpenSUSE, none of the software I wanted to install worked. It’s just too unpopular.
Fedora with RPM Fusion is probably a better bet.
The community-led Terra repository is also worth mentioning in this context.
I wonder if openSUSE has any third party repositories worth mentioning.