yay v13 and the AURpocalypse | Keys and Craft

AuthorsNameJo GuerreiroTwitter<br>In yay-v12, I did mention it might have been the biggest update in the last five years. It was the biggest update to yay's core, architecture and code. But this v13 release might be the biggest change in your experience with yay.<br>For a long time, I've wanted yay to become more extensible, easier to wrap around for UI projects, more friendly towards the people that I love, the tinkerers, the ricers, those that look at something and feel the opportunity for missing beauty.<br>This comes at a great friction of wanting to keep yay lean, unadorned and maintainable. Although every configuration option brings value, they also introduce a new surface for bugs, a new surface for edge cases and a new surface for maintenance.<br>So we come to extensible hooks. Not only the fire-and-forget type but ones that can have a real change in experience. A lot of the changes in yay v12 related to pluggable interfaces and generic abstractions over AUR and repo packages had a singular goal in mind: grpc plugins. A known pattern in the go space and used in vault, terraform, grafana... But they're cumbersome to setup, yay's own binary size also increased a lot from it and when implemented they're usually big extensions, small monoliths shipped next to a big monolith, not small addons that can be shared and reused.<br>If there is something I've seen this past few days is that we have a community that wants to script. I've lost track of the bash scripts I've reviewed following the AURpocalypse. Turns out for these types of automations we already have a great language and framework of thinking around it. Lua and neovim. What yay v13 brings are small extensible hooks in a language that is very pleasant (and I miss awesomewm, which was configurable in lua).<br>AURpocalypse<br>It is not the AURpocalypse. The AUR is working within its established trust model. Changes can be done to submission, popularity calculation and orphaned package adoption submission but the arch user repository is a source of community produced content, like GitHub or the latest AI coding harness that asks you to curl | sh something off their domain.<br>To all of the archlinux crew, thank you for taking time off your personal lives to mitigate the impact of this incident, your work is much appreciated and valued.<br>There have been many feature requests in yay's issue tracker following asking for package scanning for npm install yyy, delayed time updates, maintainer change tracking...<br>The next wave of malware will be in another form, another delivery method, with all detection scanning fed into its generation cycle as "iterate until it is not detected".<br>To ensure releases of yay are well tested, have time to go through some community validation and the core "I can install a package" stays minimal and intact, the release process will not be fast enough to keep up.<br>I want to avoid security theater: checks can help, but they should complement, not replace, build file review. That does not mean that we should not do anything against the threats we do know or that we shouldn't make reviews easier.<br>This release is very motivated by attempting to make it easier to review packages, and to automate some of the checks that can be done without human intervention.<br>Display PKGBUILD Last Modification Time<br>yay will now display how long since the last modification of the PKGBUILD occured. A package which has been recently modified is not a reason to avoid it, but it is a reason to be more careful and review the PKGBUILD before installing. Likewise, a package that has not been modified in a long time is not a reason to trust it, but it is a reason to be more confident that it has been reviewed by the community. Thank you @rebelonion for this contribution.<br>yay -Ss brave<br>aur/pi-skill-brave-search-git r24.75d32a3-1 (+0 0.00) [18d13h]<br>Pi coding agent skill for Brave Search web search and content extraction<br>aur/suave 2.0-1 (+1 0.00) [2805d5h]<br>Sport Utility Assault Vehicle Extreme. Drive very small, but very brave tank.<br>aur/brave-extension-bitwarden-git 2026.2.0.r21100.g0f113e2-1 (+1 0.00) [94d22h]<br>Bitwarden browser extension for Brave<br>aur/brave-beta-bin 1.92.120-1 (+55 0.44) [4d14h]<br>Web browser that blocks ads and trackers by default (beta binary release).<br>aur/brave-origin-beta-bin 1.92.120-1 (+14 8.77) [4d15h]<br>The minimalist browser from the makers of Brave (beta binary release).<br>aur/brave-nightly-bin 1.93.67-1 (+42 1.10) [6h17m]<br>Web browser that blocks ads and trackers by default (nightly binary release).<br>aur/brave-origin-nightly-bin 1.93.67-1 (+20 10.69) [6h39m]<br>The minimalist browser from the makers of Brave (nightly binary release).<br>aur/brave-origin-bin 1:1.91.172-1 (+20 17.41) [3d5h]<br>The minimalist browser from the makers of Brave (binary release).<br>aur/brave-bin 1:1.91.172-1 (+1010 23.90) [3d5h]<br>Web browser that blocks ads and trackers by default (binary release)<br>extra/python-adblock 0.6.0-5 (1.3 MiB 6.8 MiB)<br>Brave's adblock...