Last night while updating my system, I noticed that a random aur package my system depends on was orphaned in the aur. It’s some random deep-down dependency of another AUR package, and it’s not received any upstream commits in a while. Nice and stable, just needed an owner. I decided to adopt the package before someone else did.

It was kinda scary how simple it is to adopt an orphaned package. Create AUR account… click an email link… Done. If someone wanted to squat the package for malicious purposes, it would be stupidly simple.

I get that this is a problem for all community repos, not just AUR (npm, anyone?), but it’s still an unsettling prospect. I feel like it goes unacknowledged some times.

  • @[email protected]
    link
    fedilink
    English
    91 year ago

    This is the main reason that one should learn to read PKGBUILDs. Any AUR helper like Yay or Paru should give the option. Just make sure that the package downloads from an official source and contains only the necessary build and install instructions.

    But I agree. Some people treat the AUR as just another repository, when it most definitely is not.

    • @[email protected]
      link
      fedilink
      English
      41 year ago

      This is something that I still need to learn about. What is a good starting point to learn how to read them?

      • @[email protected]
        link
        fedilink
        English
        21 year ago

        First, you should be familiar with the basic process of compiling and installing software from source. For C or C++ projects, this can be as simple as ./configure, make, make install for projects that use GNU Autotools, or something like cmake -B build, cd build, make, make install for CMake projects.

        I generally split PKGBUILDs into three important parts. There’s the metadata at the top then there’s the build and package functions. build is where everything up to the make (or equivalent build-the-thing) command goes and package is where the make install bits go.

        There’s also the prepare and check functions, but those aren’t used as often.

        As for the actual documentation, the Arch Wiki page for PKGBUILD covers most of the metadata stuff and the page for Creating Packages covers most of the build and package stuff.

      • @[email protected]
        link
        fedilink
        English
        11 year ago

        It’s a shell script. Somebody wrote down the shell commands to download, extract, compile from source code. If you can do shell stuff then you’re about 1/2 way there. If you’ve ever manually compiled from source code then you’re all the way there pretty much.

        It’s quite simple since there isn’t any other abstraction to learn than what many Linux users already know. Shell commands and compiling stuff.

        Probably the one thing that might be foreign is variable and functions of shell scripting.

  • 𝘋𝘪𝘳𝘬
    link
    fedilink
    English
    51 year ago

    This is why you always read AUR comments and package file before installing anything from the AUR.

  • The Doctor
    link
    fedilink
    English
    51 year ago

    It’s pretty clearly stated on the front page of aur.archlinux.org: “DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.”

    Warnings about AUR packages being potentially dangerous have been around since the days of IRC. Scary, reason to take pause, but also not new.

  • @[email protected]
    link
    fedilink
    English
    31 year ago

    I think that’s kind of the point of the AUR. It’s much easier to get into the AUR so we have all of these packages available, but you have to be a bit more careful than you would be with official repos.

  • @[email protected]
    link
    fedilink
    English
    21 year ago

    It’s important to actually read what’s in the packages. The AUR saves me time installing that I can use up front confirming.

    • @BrynB
      link
      English
      1
      edit-2
      1 year ago

      deleted by creator

  • @TheCraiggers
    link
    English
    21 year ago

    It’s only scary if you think the AUR is inherently trustworthy. It’s not, and every piece of official documentation and various wikis make it abundantly clear it’s not. (If you see somewhere that doesn’t point it out or edit it so it does.)

    The AUR is barely better than pasting J Random Hacker’s ‘curl http://foo | sudo bash’ code you see somewhere to install something. And that’s only because at least the AUR makes it easier to inspect what’s about to run and what changed.

    • @nomadjoanne
      link
      English
      11 year ago

      Yup. If I want to install something “app-like” and it isn’t in the main repos I tend to go with the flatpak over the AUR for that reason.

  • @[email protected]
    link
    fedilink
    English
    1
    edit-2
    1 year ago

    This is one of the reasons I don’t recommend Arch to people. Too easy to get owned if you don’t know what you’re doing.