AUR repository toolchain

synthead · 2011-10-28 00:13:36

So I was thinking: what if there was a community-supported AUR repository for Arch? Inspired by evalbot on irc.freenode.net's #bash channel, the system would use virtual machines. Here's why, and how it would work.

As we know, AUR packages can be potentially dangerous. Users should never install a package without reviewing the contents of the PKGBUILD and all the .install files. Somebody could whimsically install a package that isn't a package at all and have their system rooted. The thought of automatically building random AUR packages on a dedicated server should sound like a nightmare to any good linux admin. So here's the plan: host a virtual machine, get it all set up the way you want, then create a one-time snapshot. The VM's host will control the operations within the machine via SSH keys, and will remotely execute makepkg -o on a new PKGBUILD. Now, with the sources downloaded, the host cuts off all network access to the VM and builds the package. When done, the host then uses SFTP to transfer the built package to a safe directory, then resets the state of the VM back to the snapshot for another package!

The only downside to this strategy is now you have random AUR packages in binary form built by someone who's just a name on the internet, but this would be mostly safeguarded by sha512sum checks. If this was a modular system where people can just install an AUR package and run as a daemon (like foldingathome), then people would be automatically uploading packages to a central server. When five or so people upload the same package, and the sha512sums all match, it's added to the repository for users to download in a pacman-able .tar.xz form from [aur]. Of course, a voting, flagging, and comments area would be in place too.

I'm seriously thinking of starting this project as a hobby when I have some free time. Any thoughts?

lolilolicon · 2011-10-28 00:54:17

The sha512sums won't match AFAICT.

knopwob · 2011-10-28 10:22:57

lolilolicon wrote:

The sha512sums won't match AFAICT.

An example for reasons for different sha512sums of the same package:

knopwob@mordor ~ % vim --version
VIM - Vi IMproved 7.2 (2008 Aug 9, compiled Apr 16 2010 12:36:35)

The time the binary was compiled is obviously different on different builds. So there's always a different string embedded in the binary resulting in different checksums.

Another issue that comes to mind:
You have to prevent the clients from uploading packages of commercial software. An example would be osmos, where the user has to provide a copy of the game.
A way to work around this would be a whitelist of allowed licenses.

synthead · 2011-10-29 20:02:05

Ahhhh, yeah, I see. We'd probably have to implement a voting system, then

Snowman · 2011-10-30 12:23:11

synthead wrote:

Ahhhh, yeah, I see. We'd probably have to implement a voting system, then

You'll need to make sure that the votes don't come from the same person. It would be easy for someone with evil intention to create bogus AUR accounts so that a malicious packages gets the required amount of votes.

There's also the risk of users abusing the build server to build custom packages that don't belong in AUR (like kernel or packages in the repo with different build flags or configure options) or to do any cpu-intensive work not related to packages.

Arch Linux

#1 2011-10-28 00:13:36

AUR repository toolchain

#2 2011-10-28 00:54:17

Re: AUR repository toolchain

#3 2011-10-28 10:22:57

Re: AUR repository toolchain

#4 2011-10-29 20:02:05

Re: AUR repository toolchain

#5 2011-10-30 12:23:11

Re: AUR repository toolchain

Board footer