[SOLVED] Is it safe to install dpkg as a dependency for AUR packages?

ModelHX · 2023-03-07 18:38:37

I'm attempting to install the AUR package git-credential-manager-core.

One of the listed dependencies for this package is dpkg, which is listed under the package's makedepends in the PKGBUILD (along with dotnet-sdk, fontconfig, krb5, and zlib).

However, when I go to install dpkg (sudo pacman -S dpkg), I get the following warning:

(1/1) installing dpkg
    dpkg installs Debian package manager.
    This is useful for those who want to create/modify DEB files.
    However, *do not* use dpkg to install Debian packages in your ArchLinux machine.
    This will break your system!
    You will need to go back to Arch wiki and read the installation guide again.
    You've been warned!

Now, the build step in the PKGBUILD makes no explicit call to dpkg; it's simply:

build() {
    cd "${_pkgbase}-${pkgver}"
    dotnet build --configuration LinuxRelease
}

, so I'm assuming that dotnet's build process is calling dpkg somewhere under the hood. But I don't know whether its usage of dpkg falls into the category of usage that the pacman warning is alerting me about. (I don't have a lot of knowledge about .NET or its build process; I've searched the upstream GitHub repository for more information about the LinuxRelease configuration but didn't find anything that stood out as useful to me for this question.)

My question is: is this use-case an exception to the warning I get when installing dpkg, or is this still dangerous to my system?

Last edited by ModelHX (2023-03-07 20:00:33)

Trilby · 2023-03-07 18:46:57

That use of dpkg in and of itself should be of no concern.

I have not reviewed that AUR package specifically, and it if uses dpkg to install something directly to the filesystem outside of $pkgdir, then that'd be a problem - but that'd not really be about dkpg, but rather that the AUR package is just poorly done as this would be just as much of a concern if content was installed directly to the filesystem with `install` or `cp` or other common tools.

Building in a chroot would be the one way to protect against all of the above possibilities - while also avoiding needing to ever have dpkg installed on your system. And while this can be considered good general practice, there is still nothing specific to dpkg here: dpkg presents no additional concern over basic tools already installed on your system.

Last edited by Trilby (2023-03-07 20:03:28)

loqs · 2023-03-07 19:21:24

dpkg is used in https://github.com/GitCredentialManager … ux/pack.sh which is called from https://github.com/GitCredentialManager … x/build.sh nothing pack.sh does appears to be used by the PKGBUILD so it can be truncated to an empty file in prepare() and the makedepends on dpkg dropped.

prepare() {
    cd "${_pkgbase}-${pkgver}"
    truncate -s 0 src/linux/Packaging.Linux/pack.sh
}

There also appears to be a missing checkdepends/depends on git.
Edit:
The alternative would be editing build.sh.

Last edited by loqs (2023-03-07 19:25:16)

Arch Linux

#1 2023-03-07 18:38:37

[SOLVED] Is it safe to install dpkg as a dependency for AUR packages?

#2 2023-03-07 18:46:57

Re: [SOLVED] Is it safe to install dpkg as a dependency for AUR packages?

#3 2023-03-07 19:21:24

Re: [SOLVED] Is it safe to install dpkg as a dependency for AUR packages?

Board footer