package safety has been asked in Forum before ^^ and has multiple opinions about ‘is it safe’. I wouldn’t waste your time with a safety question as I’ve made up my mind (and had to run the binary for a work meeting).
yay -Si webex-bin
...
Out-of-date : Thu 29 Jun 2023 02:27:19 AM MST
Had to install for work. I think it’s safe and I can live with this. But what does ‘out of date’ message mean? Developer bailed? Or is 2 months with no updates when it’s designated in AUR as ‘out of date’? Or can they be flagged for any reason? Or the AUR self-audits?
Just curious what ‘out-of-date’ should mean to the person who is considering installing an app. This is transparently being asked with post-install hindsight on my part.
thanks
From my understanding it means it is not up to date with the latest version upstream. I just had a look the AUR version is 43.5.0.26155-1 and the upstream version is 43.7.0.26612
You can see what has changed here
It means that a member of the community flagged it as out of date. In most cases, that usually means that it does, actually, need updating. However, occasionally packages may be flagged out of date wrongly.
thank you also. hate to choke up bandwidth with my overthinking. just new and getting my footing. this just simply means the maintainer has not kept up with the new version. The flag is just someone letting others know. All good.
Every AUR package has a page at https://aur.archlinux.org/; you can search for any AUR package from there. On a package’s page, you can check for comments (this can be very handy), and you can also see exactly why a package has been flagged out-of-date:
I’ve seen the AUR package page, but did not see they catalogued the flagged.
A failed checksum seems different than an out of date package…but maybe that’s the limits of what I know?
All the same I am happy to part of a constantly self-auditing community. When you are on the outside looking in (noob) you do hear a lot AUR chatter. [Re: your avatar. When Moe told Marge they could share a bed “but I want you to know, I sweat blood” that may have been one of the best least-quoted Simpson’s lines. That’s not saying “I need Amanda Hugenkiss” isn’t a brilliant line….]
If the package installed OK for you, then I would assume that the flag is not pertinent. On the other hand, there does appear to be a newer version (as noted by @smokey above) - but that isn’t why it was flagged.
So the ‘out of date’ flag is an all-purpose warning flag, going by your picture? There is no ‘checksum problem’ flag. If all that is true then I will visit the AUR page next time I see out of date (on an AUR package). It’s always in the details I’m learning. Thank you.
Yeah, if you click on the red “Flagged out-of-date (xxxx-xx-xx)” note, it will give you the details of why it was flagged. In this case, it would appear that the person who flagged it was, shall we say, a bit incorrect…
If you read the pinned comment from the package maintainer, it says:
If the checksums do not match with the downloaded files, Cisco may have updated the Webex package. Please simply click the “Flag package out-of-date” link at top of the page and I will update the package as soon as possible.
But, since the package installed with no problem for you, and the package was last updated before the flag, I would think that the flagger simlpy made a mistake.
Whether it is safe or not depends on the actual package and its depencencies. Maybe a critical security vulnerability was fixed in the latest update? Or perhaps a new version exists but it’s not yet updated in the AUR, and the user who flagged it wants to let the package maintainer know that it ought to be updated. Who knows…? You have to be the judge of that when you install each package from the AUR.
Always check the comments, check the PKGBUILD, be curious before you type yay…
yay -Syu --aur
:: Searching AUR for updates...
-> Flagged Out Of Date AUR Packages: ungoogled-chromium-bin webex-bin zoom
there is nothing to do
these are my only 3 AUR packages outside of freetube and my print drivers. I selected the most popular/most downloaded packages of the proprietary zoom and webex.
It’s been about two full days that those three have shown ‘out of date’ but the webex had been there since my first post.
my two Newb takeaways:
this is normal and how you have to roll sometimes with AUR stuff
and
package maintainers work for free so it should be fixed soon when they can find the time.
You need to consider how long a package has been out of date and what it is.
That webex client has been out of date for 2 months. That isn’t normal. It is probably also fairly high risk. I think it is questionable to continue to use it.
Ungoogled-chromium was only marked out of date a few hours ago and zoom yesterday. That is pretty normal.
—that’s strange re: your timeline. My yay output has looked like that since yesterday morning (those 3 packages) if not the night before yesterday morning. Unless you are seeing second time flagged, if there is such a thing?
Regardless, I should consider almost two months an anomaly too, don’t need that kind of risk. Webex is getting yanked after I hit the reply button here.
I will monitor the other two, Thanks for the heads up.
PS Dalto—is my criteria of selecting an AUR package by downloads and likes…is that valid at all? Or are there other factors to consider?
Hmm…votes and popularity give you a rough idea of how popular a package is. It is reasonable to assume that a more popular package has more eyes on it than a less popular package.
However, it doesn’t have much meaning in an absolute sense. Really, you should choose the package you actually want and then review the PKGBUILD and other files to determine if you are comfortable with it.
Here is some good information about how to review a PKGBUILD:
If an AUR package is very popular, and it has been at least a few days since the last update (on the AUR, of course), and there is nothing strange in the comments on the AUR page, it is probably safe. If it weren’t, somebody would have probably noticed something. That’s pretty much the only case where one can rely on a popularity of a package.
On the other hand, if a popular package has been orphaned recently and taken over by somebody else, you should be extra cautious. In that case popularity might actually be a risk.
In the end, inspecting the PKGBUILD (and any other file in the package) is the only way to be sure.
I read a brief PKGBUILD guide when I first installed Arch and I have to re-read it. It went something like ‘to inspect an AUR package, crack open the .yaml and be wary of code with a lot of AWKs and DELs and a bunch of other stuff’—I’m sure that’s simplified. Is inspecting the yaml sound right?
I will get on teaching myself to do this. Thank you Dalto, too, I think this is a valuable habit. I want to Arch the right way.
.