I haven’t used it yet myself, but I do know the AUR helper aura ( GitHub link ) has a security measure for “secure package building” if that’s something that may interest you, though to be clear I’m not entirely sure what all it is tested upon.
From their GitHub page:
Secure Package Building
PKGBUILDs from the AUR can contain anything. It’s a user’s responsibility to verify the contents of a PKGBUILD before building, but people can make mistakes and overlook details. Aura scans PKGBUILDs before building to detect bash misuse and other exploits. The -P command is also provided for scanning your own PKGBUILDs.
Feel free to test it out and let us know what you think if you do. I know paru and yay can be installed in tandem with no issues, but I do not know if yay and aura can be fyi.
Edit: yay and aura should be able to co-exist together just fine.
That’s good to know, thank you. I just wasn’t sure as I’ve only ever read many times in various threads/posts that paru and yay don’t conflict with each other so I didn’t want to state something as true or not if I wasn’t sure it related to other helpers.
For sure if you use multiple helpers to update/install packages there will be some functionality loss. Not only for VCS packages but also sometimes for showing diffs.
That being said, they will all coexist and can be used for different things. For example, aura has some easy to remember syntax for finding orphans.
Since my usage of the AUR extends from no to a maximum of a couple of packages sometimes, I am fine with checking the PKGBUILDs, mostly for learning purpose and at times it is a bit fun to build the packages with makepkg etc.
But sure, when I find time I’ll have look at aura and perhaps try it out.
Also, the ongoing insistence that Pamac should be the only package manager implementation for Manjaro?
I understand what you were trying to do with that forum announcement topic, and it’s a noble idea to try to make Manjaro users understand how their activity impacts on wider projects. However, and as much I can appreciate the effort, those threads do end up looking like Manjaro is blaming their users for using the software included in Manjaro. That in turn would draw two sets of conclusions (as unfair as they might be) from people reading the thread - one, Pamac should not be included because it has fundamental flaws, and/or two, Manjaro doesn’t want to fix its broken software.
It might be my rose-tinted glasses, but I also don’t remember the same range of issues back when Pamac was a GUI wrapper for pacman and yay (if I remember correctly, things like crashing Pamac leading to completely broken systems happened when it was becoming a pure-libalpm implementation). Has anyone heard of Octopi or Bauh having the same issues?
Slightly OT comment
It’s also slightly disingenuous for people to suggest “we’re working with upstream to fix the issues” when it’s upstream filing bugs with fixes for Pamac that go for days or months without apparent comment/activity.
Anyway - I’ll conclude by saying that being an apologist for something you have no control over is a very difficult situation to be in, no matter how much you might love or be invested in a project. I did it many times for Manjaro when decisions were badly communicated (and so understandably completely misinterpreted) and it’s not worth the stress - if you can, let the people at fault deal with the issue they created. After all, keeping quiet and staying out of the way is what everyone else does.
”.
