I don’t really want to go to the hassle of isolating the self-build on a virtual machine (because of how I will need to use it later), so the choice really is between a pip install (virtual environment, but from a repository with goodness knows what else on it), or self-build (guaranteed to be the right package, but running alongside all the other binaries on my system)
Does anyone have any advice as to which route is most secure (or easiest to keep secure)?
Or better still is there a better way? The fully packaged and tested build is available for Debian and Ubuntu - if that helps.
Assuming that this is software you want to use system-wide and not something you only need in a development environment. The best and most maintainable way would be to create a PKGBUILD and then install it using pacman.
You can easily create a PKGBUILD that uses any of those methods to build the software. You could also use a PKGBUILD to repackage the debian build if you want to.
It is also possible to use debtap to convert the package but that is not maintainable and often doesn’t work properly.
Thanks. I actually don’t need to run it system-wide, it’s for a limited set of projects.
Nonetheless, I’ll look into the PKGBUILD options. Not something I’ve done before, but I’m always up for learning something new.
I suppose my biggest concern is if the code messes something up on my machine. To date, I’ve pretty much relied on the oversight the official repos have to keep me safe. It’s annoying that I’m having to use this at all.
The nice thing about building a package is that the build is running into a separate set of directories. Then it gets assembled into a package. From there, pacman is just copying files into filesystem.
There are a couple of controls that make this fairly safe:
By default, pacman won’t overwrite files installed by a different package
If anything is impacted by installing the package, you can remove it and it will delete all the files installed by the package(but not other files)
Of course, if the software itself is malicious, pacman can’t do it anything about that risk but that is a separate issue.
There are plenty of example PKGBUILDs out there that build things from source, build from pip and unpack a debian package. You can see the PKGBUILDs for both repo packages and AUR packages so you can typically just look at something similiar and make some minor changes.
That’s good to know. I might try from the git source then. At least that minimises the chances of me spelling the package name wrong ad installing something bizarre from pip!
