loading...

Arch Linux: Stop recommending people to use makepkg for the AUR

legolord208 profile image jD91mZM2 ・2 min read

This is relevant to Arch Linux and the Arch User Repository. If you don't know what that is, no need to read this article.

Alright, there seems to be around 3 kinds of people:

  1. "Pacman should be like apt"
  2. "You probably want an AUR helper"
  3. "Real men use makepkg"

2/3 of these people know that adding a custom repository to get a program is HORRIBLE security-wise. That's not worth mentioning.
I will instead be focusing on eliminating the 3rd kind, leaving us with the second (which I'm a part of).

Let me tell you a tale of how I got used to the AUR.
Immediately when I started off, I wanted to be the 3rd kind. I wanted to use only the official tools. "Real men don't need no helper" or whatever. I scanned the wiki on my phone (Arch wasn't completely set up yet), and found out how to install packages. I failed to find out how to update them, so I assumed pacman did that for you. I started cloning all packages to ~/Downloads, building them, and deleting them.
That was my first pitfall. Already, I had made a mistake. I needed to keep them updated. Alright, that's simple enough. I re-downloaded all my packages (TIP: pacman -Qm) to ~/AUR. Then I made a bash script to git pull all the things, and building them if there was anything to update (NOTE: I hadn't thought of -git packages).
This is what I used for a while. And it worked, except it required a lot of interaction. I had to copy the URL, cd, git clone, cd, makepkg. I started avoiding the AUR as much as I could. Alright, simple fix: Just make a bash script to download it? No. This is where I stopped. And I'll tell you why in a second.
But first I want to inject that I never checked any other files than the PKGBUILDs. I never read the wiki carefully enough, so I failed to realize that ALL files could contain viruses. If I had used a helper, this risk would have been avoided all together.

I saved my most important point to last. If you make shell scripts around the manual way of doing it, are you really still using the manual way...
...or have you created a helper?

Posted on by:

legolord208 profile

jD91mZM2

@legolord208

I'm an idiot. I crap out software. Then I expect you to download my crap. Ewww

Discussion

pic
Editor guide
 

i think the general conSENSEus on #archlinux is that, by all means use an AUR helper, BUT familiarise yourself with mkpkg beforehand as the said helper WILL break on pacman updates. Forewarned if forearmed
heres a wee shell script, by default it opens the PKGBUILD in $EDITOR for you to peruse BEFORE installing anything
!taurus
OnFileNotWanted's DEV Profile

 
 

lmfao what are you even talking about? no one soley uses and downloads pkgbuild files and does makepkg, they use pacman or a AUR helper XD

Where are you getting this totally outdated info from?

 

Hello Corey,
please be sure to convey your opinions in a respectful and comprehensive way, even when they're in total disagreement (which, of course, is perfectly fine).
Remember there are newbies that might be confused by confrontational replies.
Let's be excellent to each other. Thanks 🤗

 

I will, I am good at helping new Linux users but what I am confused about is this incoreect information that makes no sense in 2019.

Corey, you're completely wrong. A lot of people manually clone AUR repos and use makepkg -si to install them, including myself.
That's even the only way listed on this Arch Wiki page : wiki.archlinux.org/index.php/Arch_...

Back to the subject, I was aware of the potential risk of malicious code hidden in AUR repos, but I'm discovering with your article that a Helper can avoid such risk ! But how can an AUR helper tell if something is malicious or not ?

No no one really bothers with it because they just use there package manager or AUR helper, if the code was "malicious" for example there isn't much chance of that happening as even tho anyone can submit they will be viewed and checked, of course you can still manually makepkg if you want but no one does this regulually or even had to anymore thanks to package managers and helpers

Never gone to #archlinux, have you?

I use Arch Linux with a bunch of others who also do and never in my time using Linux or Arch in general have I ever relied on downloading pkgfiles and building manually as a main way to get packages, if I install a package it's always with my package manager. I've manually downloaded the pkgbuild file and built the package once but I never rely on doing that

Right. And probably none-of-you have gone to #archlinux. :D

I didn't use to cower (now auracle) && makepkg either (I used Arch for good 5+ years), but back then the IRC weenies were against AUR helpers, because noobs would come with their super simple problems that they could've fixed themselves had they learned about the build process.

Actually we have also nothing wrong with using a AUR helper even if we already know how to do it manually, why add more steps to do a simple task when a AUR helper to simplify things, it's the same process only automated.

No you're not understanding what I said. I prefer AUR helpers, but as a maintainer I also didn't like it when random user's helper didn't work (or there was some super simple problem with the PKGBUILD), and they would then blindly copy paste those error messages to ping my mailbox each time.

Doesn't matter to users (Arch's overly complex as-is), but kinda does to maintainers and those who wanna help out in the forums, IRC, etc.

Yeah I know I'm just saying that AUR helpers are good 😋

Yep that's the toxic Arch users but I intend to change that and help users in a positive way instead of saying "read the fucking wiki" and acting arrogant.

Yes Arch is and can be complexed but just like Linux in general it doesn't have to be :)