Is AUR's apparmor package usable ?

dilzel · 2017-03-13 07:36:03

Hello,

I want to install and enable apparmor on my arch, but apparmor seems to be only present in the AUR and is "flagged out-of-date".

Can someone who uses it confirm whether it is broken or not ?

Thank you.

Trilby · 2017-03-13 10:57:35

It has 90 votes on the AUR, with recent comments with no indication of problems. The maintainer is active with 93 total AUR packages. AppArmor was flagged out of date yesterday because there is a newer version upstream, while even the "outdated" version is a full minor version ahead of other distros apparmor package (e.g. debian's most recent is 2.9.0). What on earth would make you think it is "broken"?

Out-of-date flags are not for "broken" packages. They are for (as the name implies) out of date packages.

Have you had any problems with it? If so, describe your problems.

dilzel · 2017-03-13 15:59:14

Trilby wrote:

What on earth would make you think it is "broken"?

The fact that I know absolutely nothing about how Arch's repos are organized and maintained, let alone the AUR. I wanted to ask first because I didn't know whether the "out-of-date" mark was something worrying or not.

Trilby wrote:

Out-of-date flags are not for "broken" packages. They are for (as the name implies) out of date packages.

I didn't know that, thanks.

Trilby wrote:

Have you had any problems with it? If so, describe your problems.

I didn't install it yet ; I'll open another thread if I have problems. Thank you.

Last edited by dilzel (2017-03-13 15:59:36)

Trilby · 2017-03-13 16:24:59

I suppose I was a bit blunt given that you are new to the forums. So let me offer a belated welcome. I'm glad the information was absorbed despite my blunt approach.

I do not personally use AppArmor, but by all relevant metrics I can assess, it seems to be widely used and well maintained for an AUR package. I would encourage you to read up on our wiki about the repos and the AUR. AUR packages are officially "unsupported", but this just means that Arch Linux developers are not responsible for them.

Given multiple viable alternatives of tools, I'd always install the one that was in the official repos unless there was good reason to do otherwise. But there are also lots of great packages that are well maintained in the AUR for which there is no alternative in the main repos: apparmor may well be an example of this.

dilzel · 2017-03-13 16:32:38

Trilby wrote:

I suppose I was a bit blunt given that you are new to the forums.

No problem, your post was helpful.

Trilby wrote:

So let me offer a belated welcome.

Thank you !

Trilby wrote:

I do not personally use AppArmor, but by all relevant metrics I can assess, it seems to be widely used and well maintained for an AUR package. I would encourage you to read up on our wiki about the repos and the AUR. AUR packages are officially "unsupported", but this just means that Arch Linux developers are not responsible for them.
Given multiple viable alternatives of tools, I'd always install the one that was in the official repos unless there was good reason to do otherwise. But there are also lots of great packages that are well maintained in the AUR for which there is no alternative in the main repos: apparmor may well be an example of this.

I've in fact used Arch for some time before, and I've always had a hard time trusting anything from the AUR. From what I've read, it's entirely unregulated and no check is done against rogue packages. Is there some way to check the "reputation" of a maintainer ? Are they responsible for compiling the program ?

I suppose I should read more docs. Thanks for your help.

Last edited by dilzel (2017-03-13 16:34:32)

Trilby · 2017-03-13 17:57:05

It's good to be cautious. But the AUR maintainer does not compile the software. They just give you a recipe (the PKGBUILD) with instructions on how to compile the package (and sometimes some patches). You compile it yourself using makepkg.

You should read each PKGBUILD that you use (they are generally very short) to see what they are doing. Often it is little more thant configure, make, and make install with the appropriate prefix and DESTDIR variables set. All the actual code is retrieved by makepkg on your system using the 'source' variable provided in the PKGBUILD. You should also check that this source variable looks reasonable: in the case of apparmor it is downloading the source from launchpad.net/apparmor - this looks good to me, but you could always check that this really is the proper upstream URL if you want. The PKGBUILD also contains a checksum which ensures you retrieved the same source files that the packager did (though for this to be relevant you'd have to trust the packager). Some AUR packages also contain pgp keys - as AppArmor does. These pgp keys are upstream's digital signature and provide a very reliable means of confirming that you are only building the proper material from upstream (assuming you properly check and import the upstream key).

As to the reputation of the maintainer, it is good to be cautious there too. There certainly is a fair amount of garbage in the AUR. That said, I've yet to see, or even hear of, a malicious package in the AUR. Those packages that I might call junk just don't do anything useful. Either they are a trivial variant of a repo package, or they distrubute some novice programmer's code that does little more than a "hello world". These might be amatuerish, but not malicious nor harmful. Of course, not yet having noticed a malicious AUR package doesn't mean we should let our guard down. You can assess the reputation of a maintainer and a package.

The "votes" and "popularity" are useful metrics for a package (each with their pros and cons). AppArmor for example has 90 votes. That's quite a good number. There are at least 90 people who use it who have independently confirmed that it works for them. So to me this is pretty good evidence that it is good (not conclusive proof certainly, but a good indication). The downside of the votes is that they could be very old: it's possible that 90 people loved the version from several years ago, but all stopped using it last year. "Popularity" tries to account for this through an agorithm I'm not familiar with, but it seems quite conservative (all but one of my AUR packages has a popularity of 0.00). It seems any popularity above zero is an indication of recent and/or consistent positive feedback. You can also see the comments on the package which all have a date/time stamp.

As for the maintainer - some AUR maintainers are arch devs and/or trusted users meaning they package stuff for the repos, but some of their packages just aren't in the repos (yet). So if you trust them for the main repo packages, I'd say you should trust their ability/reliability for AUR packages. Other Archers can earn a reputation on the forums, bug tracker, wiki, or IRC, so you might recongize their name if you are active in the community. I used GraySky's unofficial repository for a while for a kernel - I seem him around the forums and he is active in the community, so if he was trying to distribute something malicious he would have to be quite dedicated to a very devious "long game" to fool us all (in otherwords, not very likely). You can also check other packages maintained by the same person to see if they generally respond well/quickly to user feedback.

I don't know the maintainer of AppArmor - or if they are active on the forums I just may not recognize their AUR name. But they have many aur packages that seem to be reliably updated with lots of votes and popularity scores and many satisfied users.

So to sum up a pretty long post: it's good to be cautious with AUR packages, but caution does not mean avoiding them or treating them as problematic when all indicators point toward them being good/valid packages.

dilzel · 2017-03-13 18:10:16

Really helpful, thank you

Edit : I got a signature error, I'll investigate later. At least I learned things about the AUR

Last edited by dilzel (2017-03-13 18:28:15)

Alad · 2017-03-14 01:32:28

As to the reputation of the maintainer, it is good to be cautious there too. There certainly is a fair amount of garbage in the AUR. That said, I've yet to see, or even hear of, a malicious package in the AUR. Those packages that I might call junk just don't do anything useful.

I've seen some things:

- Installing files with sudo directly instead of using pkgdir
- Deleting or overwriting files in the home directory
- Packaging windows malware
- Crashing the browser on the package website due to malformed dependency fields in the PKGBUILD (fixed on the AUR side a while back)
- Unbootable system after installation (and unable to shutdown!)
- Dynamic versioning (if you count on making a PKGBUILD purposely hard to understand as malicious)

Probably the TUs have plenty more examples; they do a fine job in keeping the AUR clean of the above in any case.

Last edited by Alad (2017-03-14 01:37:00)

Arch Linux

#1 2017-03-13 07:36:03

Is AUR's apparmor package usable ?

#2 2017-03-13 10:57:35

Re: Is AUR's apparmor package usable ?

#3 2017-03-13 15:59:14

Re: Is AUR's apparmor package usable ?

#4 2017-03-13 16:24:59

Re: Is AUR's apparmor package usable ?

#5 2017-03-13 16:32:38

Re: Is AUR's apparmor package usable ?

#6 2017-03-13 17:57:05

Re: Is AUR's apparmor package usable ?

#7 2017-03-13 18:10:16

Re: Is AUR's apparmor package usable ?

#8 2017-03-14 01:32:28

Re: Is AUR's apparmor package usable ?

Board footer