AUR PKGBUILDs

But it’s like having to learn so many different languages. I’m currently learning JS :woozy_face:

1 Like

You don’t - you stick to the repo packages. :wink:

3 Likes

Okay. So I’m still fine to use them then. If I need any clarification I will ask here for assistance. I will actually learn shell scripting but I don’t wanna learn multiple languages at the same time.

No worries, we all start somewhere.
But like i’ve said it’s the only 100% way to be sure, and not rely on someone else’s judgement…

I think you’ll find (over time) that computer languages are easier to learn than human ones! After all - there is a limited number of things they are trying to do - which helps…

2 Likes

Thanks guys I’m glad I asked. You guys are awesome. But still I should prolly go and ask on Arch forums too :rofl:

Edit: Relax just kidding

1 Like

Be aware (be VERY aware) that the answer may well include RTFM (read the “fine” manual) or at best a link to the Arch wiki… :grin: Try the questions here first!

2 Likes

I was kidding I should have put an /s there. I have never participated in a forum this much in my entire life. Well not participate I mean ask many questions. :grin:

Thinking of asking there gives me the same feeling that I get when I look down from 50 storey building.

@keybreak and @freebird54 have solved my problem but I can’t decide to choose the soluition :face_with_raised_eyebrow:

Hmm - undecided fits as name then?? :smile: Don’t think it matters…

2 Likes

Lmao! well when I first created this forum account it was meant to be a throwaway account. So I didn’t even use my real email address and had the username jonny (Just came to my head at the time). Now that I’ve spent time here I have decided to stay. But I haven’t decided on a username yet.

I was thinking of creating a new account and asking a mod to anonymize my account so the actualt content remains.

Edit: You are a mod! Reckon you can do it for me?

The AUR is one of the safest ways to install software, just because it is so transparent. But it does not tolerate just looking up the package in Pamac and clicking on the Build button, or doing yay package_name blindly. It requires that the user knows what’s going on. That’s why I recommend trying to build at least one package manually, to understand what’s going on, before using an AUR helper like pamac or yay.

yay has a nice feature that allows you to inspect a PKGBUILD file before installing, and to see the differences in the PKGBUILD file when updating a package from the AUR. Do not ignore this feature, it is very useful and will make your AUR usage much safer.

Here are some tips on how to be safe using the AUR.

  • First of all, look up the package on aur.archlinux.org, see the comments, upvotes, popularity, name of the packager, etc… If it is not a popular package, be extra careful when inspecting the PKBUILD file. Look at the date the package was last updated. If it is fairly old, or updated by the same person, and people are using it, it’s almost certainly safe. If there is anything fishy going on, it will be removed from the AUR fairly quickly.

What to look for in the PKGBUILD file? You’ll have to learn some elementary shell scripting to understand what’s going on. This is easier than it sounds.

  • Inspect even the PKGBUILD files for completely trustworthy packages, just so you learn to recognise a good PKGBUILD file. When you see a dozen good PKGBUILD files and you understand what’s going on there, you’ll already have the feeling for anything that is out of place.

  • Look for anything obviously malicious, like rm, mv commands, any output redirection, any mention of /dev (like /dev/null, /dev/sda, /dev/zero, /dev/random), mkfs, any call to pacman, systemctl, anything that touches grub… stuff like that.

  • Look for any command that does stuff in your home directory. Typically, building and installing packages should not touch anything in the home directory. If you find something like that, be very suspicious and make sure you completely understand what that command does.

  • Look for anything that looks intentionally obfuscated. Anything that is written in an unclear way, with many semicolons, &&s and ||s, lots of brackets, sed, awk, etc… Typically, good PKGBUILDs contain very simple instructions.

  • Make sure the software comes from a trustworthy place, whether it’s a binary distribution or the source code. Check all the URLs in the script, make sure they are official pages for the software you’re installing. All URLs should be listed neatly in the beginning of the file. Look for any downloads of external scripts, with curl or wget, there should not be anything like that. Beware of random Github places.

  • Use common sense.

Also, when you install something from the AUR, consider upvoting it on aur.archlinux.org, just to let everyone know it’s a good package. Votes are one of the criteria for package inclusion in the official repos. If you notice anything malicious, do not neglect to report it. Upvoting good packages and reporting bad ones is the easiest way to improve the AUR for everyone.

25 Likes

Thanks so much @Kresimir I now have somewhat a better understanding. I have built packages manually well on Arch you got no choice because you have to build yay.

I think I’m gonna learn at least basic shell scripting so I can make an informed decision. Also I will follow the advice given here by you and the others.

2 Likes

This could be inside discovery wiki abaut AUR.
Would you mind if I go adding it ?

5 Likes

No, I don’t mind at all! :slight_smile:

1 Like

It’s not added yet to the wiki, can’t you leap frog any faster!? :stuck_out_tongue:

edit: I’ve actually had this post bookmarked for it’s usefulness, but I think it’s a good idea for sure to add this to the wiki for future reference.

I agree that it should be there - it distils the situation as well as I have ever seen, and matches up with what I have worked out over time as best practices for the AUR. I just doubt I could have put together such a clear set of statements to pass on the information…

@joekamprad - you want me to add it in - or have you ‘got’ it?

2 Likes

do we add this ?
:wink:
just stumble upon this…
https://discovery.endeavouros.com/aur/faq-what-is-the-aur/2021/03/

1 Like