Well, by that logic, the AUR itself could fall under the “don’t use it” if you can’t answer “yes” to those questions.
I think the point @dalto is trying to make is that with the AUR you still get to review the exact PKGBUILD you are building before you are building. With the Chaotic AUR you can’t be sure if the PKGBUILD was modified by someone before being built.
2 Likes
The answer will always be yes for an AUR packages since you are the one building the packages. Well…unless you find yourself untrustworthy…
Point taken. 
Wouldn’t that be a technicality? I mean, when I install via AUR, I’m not actually building anything at all. I’m monitoring the process as it moves along, answering Y if I agree to continue with the automated build process. Or am I mistaken in my description?
For those using the Chaotic Aur versions of the cachyos kernel: how do you know that these pre-built packages are using the right optimizations for your particular hardware?
They don’t, they are generic builds. If you want the optimizations for your hardware you have use the cachy repos or build it yourself.
2 Likes
Yep. And in that case, I would just use CachyOS. But since I’m tinkering and experimenting with a fully backed-up EOS, I’m fine with any risk.
Also, if I am not wrong pacman will warn you (or error out) if you are installing a package that is not supported by your CPU.
Wouldn’t just using the required AUR packages be enough, or does CachyOS do other things that are necessary?
OK, that’s good to know.
1 Like
Please verify the info. I have a memory to have seen a message of the kind when I was mixing repos and cherry picking packages. But my memory may fail me.
To be 100% honest, I don’t really know.
Yes, but surely you are reviewing the PKGBUILD diffs…right? If you aren’t, you should be, this takes only a few seconds in most cases.
Likewise, you know that the AUR package is actually what is being built. When you use a 3rd party, you are trusting that they are doing the things that they say they are. But you don’t really know since you are being delivered a prebuilt package.
1 Like
On a slightly related note, one way to get the kernels without adding the whole cachyos repo is download the kernel packages to a local repo and install from that.
I have to check again, but I’m pretty sure that Arch’s pacman throws some kind of architecture error if you try a pacman -U, that’s why you have to install Cachy’s patched pacman.
1 Like
It think so too.
Exactly!
Yes, indeed!
True. As far as the maintainers of Chaotic AUR, I have no reason thus far to distrust them. I’ve not run across issues personally, and I don’t see complaints or issues online, on forums, on Reddit, etc. Having said that, you are right. It’s ultimately up to the end user to investigate, trust, or not trust.
Just to be pedantic, that circles back to the core of the argument. You can’t self investigate, unless you disassemble the binary which is unreasonable.
You have to trust. Which of course you do all the time, so that’s not a defeating argument, just a different one.
If you use pacseek, it shows the PKGBUILDs for the packages you want to install, including those from chaotic-aur.
screenshot courtesy of @BluishHumility (here)
1 Like
True, but there are two issues with that. That is only when you initially install them, not every time they are updated with pacman. You also have no way to guarantee that the binary in chaotic-aur is built with that PKGBUILD.
Ultimately, it all comes back around to trust. There is really no avoiding it.
4 Likes