After Recent AUR Security Scare, Yay 13.0 Adds New Review and Automation Features

Yay 13.0 adds Lua hooks, PKGBUILD age visibility, and new automation tools following recent concerns over AUR package security.

Yay 13.0 has been released as a major update to the popular AUR helper for Arch Linux, following a recent AUR security incident involving malicious packages.

Importantly, the update does not alter how the AUR functions or guarantee package safety. Instead, it provides users with additional tools to inspect, filter, and automate the review process before installing or upgrading packages.

A key addition is the display of PKGBUILD last-modification times. Yay now shows how recently an AUR package’s PKGBUILD was modified in search results, yogurt, and upgrade menus. While recent changes are not inherently suspicious and older ones are not necessarily safe, the timestamp offers users another factor to consider during review.

For example, yay now displays age markers, such as hours or days since the PKGBUILD was last updated, when searching or upgrading AUR packages. A notably relevant feature, given recent security concerns, as users are paying closer attention to package changes and maintainer activity.

Yay 13.0 AUR Helper
Yay 13.0 AUR Helper

Another major change in yay 13.0 is support for Lua configuration. Yay can now load an init.lua file from $XDG_CONFIG_HOME/yay/init.lua, typically ~/.config/yay/init.lua. Existing config.json files remain supported, but Lua configuration can override these settings. Command-line flags continue to take precedence.

Moreover, one new hook, UpgradeSelect, runs during yay -Syu after upgrades are calculated and before the package exclusion menu appears. It can automatically exclude specific packages from upgrades, such as AUR packages with recently modified PKGBUILDs.

Yay 13.0 also introduces AURPreInstall and AURPostDownload hooks. AURPreInstall runs after PKGBUILD repositories are fetched but before clean, diff, edit, or build steps, making it useful for checks based on PKGBUILD content. AURPostDownload runs after makepkg --verifysource, allowing hooks to access both the PKGBUILD repository and downloaded source files before installation proceeds.

The release also exposes additional package information to hooks, including AUR package maintainer data, and adds support for search-filter and post-install hooks. These features allow users to create custom checks for recently changed packages, maintainer changes, new submissions, source URLs, or other metadata.

Yay maintainer stated the goal is to avoid “security theater,” noting that automated checks are helpful but should not replace human review of build files.

For additional details, see the changelog or the release announcement. Yay 13.0 is now available as an update in the AUR for Arch users.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

9 Comments

  1. Mike

    I stepped out of the idea, to install an Arch base bistro on my son’s computer and on mine, in order to be able to support him. It is just an unnecessary risk. In my opinion the AUR is a major design flaw. It installs unsafe stuff in an uncontrolled environment. Either AUR gets some serious safety check points or a method is implemented that automatically forces all AUR stuff inside closed sandboxes. Until then, Arch is no reasonable choice for people, who do not exactly know, what they are doing

  2. Empatheon

    Stop moaning about ordinary dangers of a world, you pitiful crybabies and man up.

    Considering all that mess, suprisingly, I like what I see. If AUR is being targeted by scammers, lowlife elements of cyber-society it means there is real, dirty life here, on Arch-based distributions. If they do bother to try ripping us off, it means Arch is bustling and reached scale of a city with its developing underground. AUR reached maturity and established its red light district. Cool sociological phenomenon, if you ask me!

    Finally, we can end with naive utopist stances on Linux, illusions of grandeur when it comes to security and GNU temple-like attitudes towards system building. Real life will never be so polished, aesthethically pleasing and bound to some rules of software philosophy. And it shoudn’t try to be. Life is hustle. Life is life.

    This AUR crisis doesn’t need lamentations on spoiled milk. Since AUR is community driven, it needs proper reputation system for packages, so we could have better danger/risk evaluation in clear framework. There should be tiers for software. Gold standard for packages that were verified in audits, lower tier for packages that weren’t checked by pros, but never seem to pose any problems, limbo or purgatory for packages that were harmful in the past, but now are trying to become clean and outright harmful malware in the bottom, waiting to get banned from AUR.

    AUR needs its own Tomatometer for ordinary users and audit review and final score with tier information for package needs to be seen in pamac, yay or whatever you’re using for installing stuff from there, so you could get more informed risk evalution made from previous users experiences. And if you still want to disregard warnings, then it’s up to you.

    1. Steve Nordquist

      You’re really hanging first comers out to dry as if there’s an immune system in play, or everyone has time to incubate random patisserie goods in a vm for a week and play around with honeypot scripts and splunk. Yasa digu Archuser McEdge.

      1. Empatheon

        Maybe you’re right, but I don’t consider Arch-based distros as well suited choice for Linux first comers. If you’re invested in using cutting edge rolling release OS, you should be aware you can cut yourself in a process anyway. Sometimes cutting edge turns itself into bleeding edge. That is not everyday experience, as usually fast track of software development will jump a shark and makes you possibly least vulnerable to some threats, but on the other hand you’re risking with less stability. It’s obvious trade-off you should be aware, no matter if you’re noob or pro.

        “Anything goes”, being open and letting users do with their systems what they really want is best strategy for mostly experimental rolling releases, especially if we want to draw in new people. Some will die or will burn themselves when playing with fire, but at least others will learn on their mistakes.

        That doesn’t mean I think that when assuming that Darwinian attitude, we should allow ourself of general negligence and letting others in harm’s way blindly. No. Quite opposite. While harm is real possibility and people should be aware of that, anyone should make own educated guesses to avoid it or warn others, if first option failed.

        Right now, I guess people tend to hold stereotypical opinion on AUR as useful repository of software made by untouchable Linux magicians who know their stuff, who are either payed pros in big IT enterprises for whom AUR is toolkit shed in backyard or neckbeard weaponized autists without social life and that alone should guarantee that software they create is impeccable. And of course: this is all open software so it should be better quality as such, so we should not worry.

        I think while stereotypes may hold some truth, they aren’t whole truth and since AUR is community-made, you can expect software made by a cross-section of modern society, by people of different backgrounds, with varied coding skills or IT knowledge, with some probably learning on the go. So the fact we can find certain packages in AUR won’t make them equal when it comes to quality. I think that is obvious.

        And from that reason alone, AUR should have reputation system for software and by proxy: for package maintainers. Orphaned packages after finding new custodians shouldn’t hold their reputation. I think after XZ crisis and now AUR malware mass bombing that should be obvious as well.

        AUR of today is market square without gallows, guillotine or pillory, so good Linux people with pitchforks and torches have no incentive for finding a software making witches. They also can’t make much commotion on that market square to draw attention of more professional inquisitors, who could make security audits and clear reputation of wrongly suspected or condemn them.

        If people don’t exchange their opinions on software quality, because all software is treated as more or less equal, they won’t achieve awareness, which is needed anyway, if they want to use cutting edge rolling release with a greater margin of safety.

        Don’t be disappointed with AUR users and their habit of mindlessly clicking through pamacs and yays, just as Windows users want to click through some random software installations, because that mindlessness is affirmed by current information standard of AUR packages that contains only meaningless popularity vote number, that won’t differentiate between quality or security rank of software, that could spark some feuds, but also help to peak interest around packages that could be overlooked without that chance to pick them out and put to spotlight earlier.

        If there are no gallows, guillotine or pillory, there will be no spotlight. There will be no reason and incentive to differentiate between those who should be deemed for punishment or absolution. There won’t be buzzing discussions about justice within judgment or lack of thereoff. Only more silent acknowledgment of false equality of all software. False presumption of security without sane reasoning about possible software notoriety that can vary.

        Of course, you can go both ways. You can try to force AUR into being heavily censored centralized elite repository closed to any anonymous nobodies, but then you risk organic growth of Arch distributions and turn them into more sheltered enviroments for their users. In the longer run risk avoidance makes people dumb and even more negligent, as lack of danger demobilizes them from dealing with it and planning precaution.

        I don’t mind some danger, that will put me on some learning curve. If not latest AUR malware incident, I would not install BPF tools to check if I’ve got some rootkits on my system and would not getting acustomed to methods of interpreting if my system is clean or not. I did all that after getting inconclusive reports after running aur-malware-check. Not because I’m invested in taking first steps of becoming IT security nerd and expert on Linux rootkits, just to satisfy my curiosity and put doubts aside. Now I can plan to do these checks on monthly basis just to be sure no PKGBUILD surprises will await my system after next AUR updates. So within my boundaries of skill, knowledge I do something to keep myself away from the danger. But if that danger would not arise, that wouldn’t motivate my lazy ass to learn something new.

    2. Josef

      Thank you very much—I couldn’t have described it better myself. Yes, Arch and its derivatives are doing well; the number of users is growing, and that bothers “some people” and causes them harm.

  3. Peter

    AUR is the best community repository. The only thing that spoils it are the people who are bothered by the fact that it exists at all. Unfortunately, there are more and more of them these days. It’s a good thing that everyone uses it at their own risk. Even ppa and flathub can be malware infected!

    1. Steve Nordquist

      Yeah, but I don’t -want- infected sources. When I shop for bread I don’t throw raw grain infected by ergot in for body and fake MAHA points. If you do, that’s jail.

  4. Rick

    I will never use aur since it will continue to be a major security concern and is not worth the risk. They need to get rid of it since there are much safer options.

  5. Josef

    Great news

Leave a Reply

Your email address will not be published. Required fields are marked *