Browsing the Arch, and Aur repositories I notice a few differences. On Arch I seem to find only apps with base names with no extension. On Aur there are .bin, ,git, and ones with only a base name like the Arch repository. This seems to be a convention of sorts. Can anyone explain the difference/advantage of the different types of apps?
Repo packages never have a suffix no matter how they are built.
For AUR, the suffix indicates the source of the package. This is the general convention:
- No suffix - Built from source
-git
- Built from the latest unreleased source-bin
- A prebuilt binary
There are also some less common suffixes like -appimage
which indicates the files were extracted from an image and built into a package.
However, in cases were there is no source available no suffix can also indicate a prebuilt binary.
As for advantages, generally you should avoid -git
packages unless you want to participate in testing or need some very new functionality or support. For example, if you bought a piece of hardware that was very recently released.
-bin
packages are built from prebuilt binaries so they will build much faster then packages built from source.
Packages built from source are generally the safest since you know what is in the binary. For really big packages like browsers it can be a little impractical to build from source unless you have a very powerful CPU and lots of RAM.
as far as AUR, I only install -bin
packages. they’ve alway agreed with my system. if there is not a -bin
, I move on.
2 cents
I may have gotten this wrong but if you install a -bin (a binary) from AUR that has been build by someone on their own machines, you would need to put a great deal of trust into that package and the uploader of the PKGBUILD.
Even if you review the PKGBUILD for the kind of binary, it’ll only tell you how it is unpacked and how it is installed in your system. You will never get any insight to how the binary was actually build.
There are cases where the binaries come from an official DEB or RPM source for example. These may be different.
Again, I may have gotten this wrong but I’ rather stand corrected that keep on going with an erroneous concept of how things are.
You should always check, but most AUR -bin packages come from official sources.
If it doesn’t, I would agree that you should probably not install it.
I do go to aur page and check some out–i.e.: code etc.
Also, I was just telling OP I prefer -bin
over 1)huge non-binary compiles that take forever and 2) curl/git fetched packages that have never sat right with me. In the AUR, I mean.
Lynis so far has confirmed the AUR has not compromised me yet (knock, wood!).
Someone may get burned someday. I read a peer-reviewed article about what unchecked browser extensions (source: chrome store) do and the sheer mayhem some of them cause.
Pray that it won’t be you!!
As @dalto also confirmed, one should exercise caution if the binary doesn’t come from an official source.
Yes. They could do horrible things. So I have heard and read too.