You are not logged in.

#1 2006-10-21 03:58:29

useche
Member
From: Miami
Registered: 2006-10-09
Posts: 10
Website

Tool to install aur packages with one command

Hi,

Today I developed a tool to install any aur package in one command line. Its name is aur-install and was developed in pure bash script. You only need to find the url of the aur tarball package and aur-install do the rest of the work. Eg.

aur-install http://aur.archlinux.org/packages/color-theme/color-theme.tar.gz

It allows you to see the PKGBUILD and install file codes to find out malicious code inside those files.

You can download it in: http://www.cs.fiu.edu/~lusec001/softwar … nstall-0.1
or you can install it with the package: http://aur.archlinux.org/packages/aur-i … all.tar.gz

If you downloaded directly, you need to copy it in the /usr/bin/ directory and make: chmod 755.

UPDATE: Now aur-install accept the aur package name or a complete URL.

aur-install <package_tar_url>|<package_name>

Any suggestion let me know.


Luis Useche

Offline

#2 2006-10-21 10:12:10

Romashka
Forum Fellow
Registered: 2005-12-07
Posts: 1,054

Re: Tool to install aur packages with one command

Very simple but nice script. Thanks!
I have an idea for improvement: why user should specify the full URL when he/she can call aur-install pkgname and aur-isntall can process pkgname to http://aur.archlinux.org/packages/pkgna … ame.tar.gz automatically? This will be very easy to implement. wink

UPDATE: just replace $WGET $1 with

$WGET http://aur.archlinux.org/packages/$1/$1.tar.gz

Then user should call aur-install package which is much easier! wink


to live is to die

Offline

#3 2006-10-21 10:39:57

Mr Green
Forum Fellow
From: U.K.
Registered: 2003-12-21
Posts: 5,893
Website

Re: Tool to install aur packages with one command

aurbuild ?


Mr Green

Offline

#4 2006-10-21 11:06:41

Romashka
Forum Fellow
Registered: 2005-12-07
Posts: 1,054

Re: Tool to install aur packages with one command

Mr Green wrote:

aurbuild ?

Requires Python. I don't like Python and don't want to install it.
I see no problem when users have choice.


to live is to die

Offline

#5 2006-10-21 16:54:12

useche
Member
From: Miami
Registered: 2006-10-09
Posts: 10
Website

Re: Tool to install aur packages with one command

Very simple but nice script. Thanks!
I have an idea for improvement: why user should specify the full URL when he/she can call aur-install pkgname and aur-isntall can process pkgname to http://aur.archlinux.org/packages/pkgna … ame.tar.gz automatically? This will be very easy to implement. Wink

UPDATE: just replace $WGET $1 with
Code:
$WGET http://aur.archlinux.org/packages/$1/$1.tar.gz


Then user should call aur-install package which is much easier! Wink

I thoght in that option but the user should go to the webpage and look up the package anyway. The solution that I have in mind is maybe allow the two options:

aur-install <package>|<package>

Let me know what you think.

Bye


Luis Useche

Offline

#6 2006-10-21 17:10:39

Romashka
Forum Fellow
Registered: 2005-12-07
Posts: 1,054

Re: Tool to install aur packages with one command

useche wrote:

just replace $WGET $1 with
Code:
$WGET http://aur.archlinux.org/packages/$1/$1.tar.gz


Then user should call aur-install package which is much easier! Wink

I thoght in that option but the user should go to the webpage and look up the package anyway. The solution that I have in mind is maybe allow the two options:

aur-install <package>|<package>

Let me know what you think.

I think it would be nice to have two options:

aur-install <package>|<package_url>

Then aur-install should check if command line option have "http://" then it's full URL else it's just package name.


to live is to die

Offline

#7 2006-10-21 18:04:00

useche
Member
From: Miami
Registered: 2006-10-09
Posts: 10
Website

Re: Tool to install aur packages with one command

I already make the changes. Now aur-install accept a complete URL as an argument or just the package name and has some more informative messages. I update the packege in the aur repository.

Bye.


Luis Useche

Offline

#8 2006-10-21 18:08:40

Romashka
Forum Fellow
Registered: 2005-12-07
Posts: 1,054

Re: Tool to install aur packages with one command

Nice to hear that. Thanks!  smile


to live is to die

Offline

#9 2006-10-21 18:43:26

Mr Green
Forum Fellow
From: U.K.
Registered: 2003-12-21
Posts: 5,893
Website

Re: Tool to install aur packages with one command

don't like Python  :shock: ok your call  wink


Mr Green

Offline

#10 2006-10-21 19:49:36

Dusty
Schwag Merchant
From: Medicine Hat, Alberta, Canada
Registered: 2004-01-18
Posts: 5,986
Website

Re: Tool to install aur packages with one command

heh, aurbuild was originally written in python, then Penguin rewrote it in bash. But he found bash limiting for certain things and chose to rewrite it in python.  With all the feature requests already, you may find bash difficult to extend too.

If not, see if Penguin still has his bash version of aurbuild around, you may be able to borrow some of his code or some ideas for use here. I like choice too!

Dusty

Offline

#11 2006-10-22 11:34:44

wain
Member
From: France
Registered: 2005-05-01
Posts: 289
Website

Re: Tool to install aur packages with one command

yaourt is written in bash  lol

Offline

#12 2006-10-22 14:28:49

Mr Green
Forum Fellow
From: U.K.
Registered: 2003-12-21
Posts: 5,893
Website

Re: Tool to install aur packages with one command


Mr Green

Offline

#13 2006-10-22 14:40:07

iphitus
Forum Fellow
From: Melbourne, Australia
Registered: 2004-10-09
Posts: 4,927

Re: Tool to install aur packages with one command

this script is unsafe and dangerous, as well as a duplication of other efforts.

it is unsafe, because it offers no protection against packages not marked safe, and it is dangerous as it will happily download packages that have been removed from the AUR because they are unsafe/dangerous, as their PKGBUILDS are not removed from the server.

Not sure whether this has changed, but thats what I was told when I made an equivalent bash script smile

as for not liking python to the extent of not having it on your system? heh, grow up, 10mb wont kill you, and opens you to a great range of new applications.

I suggest you remove this, and start using one of the safer alternatives, qpkg, aurbuild or yaourt.

James

Offline

#14 2006-10-22 17:21:55

test1000
Member
Registered: 2005-04-03
Posts: 834

Re: Tool to install aur packages with one command

I suggest you remove this, and start using one of the safer alternatives, qpkg, aurbuild or yaourt.

or windows. j/k


KISS = "It can scarcely be denied that the supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience." - Albert Einstein

Offline

#15 2006-10-22 18:56:29

useche
Member
From: Miami
Registered: 2006-10-09
Posts: 10
Website

Re: Tool to install aur packages with one command

Hi,

After reading in a lots of posts of this thread about aurbuild, I installed and tried it. I find that it is a nice piece of software and it seems to have a lot of good options that allow you to manage aur pakages so well. Addiotanlly, it seems to be very oriented to safeness. However there are three things that I don't like so much:
* Why is the sudo command needed? Maybe it just can use the su command with -c option. Unless you want to allow some users to install programs (I don't agree with that but everybody is different).
* I don't see why to use an editor to see the PKGBUILD and the install file. I think, maybe it is enough with less or more command (Maybe we can use the one supported with enscipt to color the files).
* If you set up your own EDITOR variable with flags or an absolute path of the editor, aurbuild fails. I solved this and you can get the patch here: http://www.cs.fiu.edu/~lusec001/softwar … uild.patch

But this problems are completly solvable and some of them are a matter of taste. If you want a more sofisticated software to manage the aur packages is a good idea to use aurbuild. However, if you are interested to keep things simple you can use aur-install.

it is unsafe, because it offers no protection against packages not marked safe, and it is dangerous as it will happily download packages that have been removed from the AUR because they are unsafe/dangerous, as their PKGBUILDS are not removed from the server.

It offers the option of see the PKGBUILD and install file before executing them. The thing here is that you should be able to find the malicious code inside this files.

I just evaluate aurbuild, but I am completly sure that there are a lot of good softwares outside that do the same job. I think is just matter of taste and because we are all differents is good to have a lot of choices.

Bye,


Luis Useche

Offline

#16 2006-10-22 20:03:58

Dusty
Schwag Merchant
From: Medicine Hat, Alberta, Canada
Registered: 2004-01-18
Posts: 5,986
Website

Re: Tool to install aur packages with one command

useche: I'm disappointed in the discouragement you've received from this community. Whether you are the only one using your script or everyone adopts it, whether it is useful or not, whether it is safe or not, its good you've tried and its great you've made your contribution known to the community.

To everyone: writing and distributing software is part of the open source philosophy. People don't generally do it if they can find an app that works for them. Its great to make constrictuve criticisms of such contributions, but discouraging the developer is bad for the community. Even if their software turns out to be broken, useless, redundant, or even malicious, its possible that discouraging the programmer will cause them to refrain from making another contribution to open source in the future. And that next contribution may well be one of the most useful tools ever created.

I'm not personally taking the time to test this script, for the simple reason that Aurbuild suits me just fine (plus it has sentimental value as I am the original author). Anyone not interested in it is also free to not try it, but I see no reason to put it down.

Dusty

Offline

#17 2006-10-22 22:00:54

elasticdog
Member
From: Washington, USA
Registered: 2005-05-02
Posts: 995
Website

Re: Tool to install aur packages with one command

Dusty wrote:

useche: I'm disappointed in the discouragement you've received from this community. Whether you are the only one using your script or everyone adopts it, whether it is useful or not, whether it is safe or not, its good you've tried and its great you've made your contribution known to the community.

To everyone: writing and distributing software is part of the open source philosophy. People don't generally do it if they can find an app that works for them. Its great to make constrictuve criticisms of such contributions, but discouraging the developer is bad for the community. Even if their software turns out to be broken, useless, redundant, or even malicious, its possible that discouraging the programmer will cause them to refrain from making another contribution to open source in the future. And that next contribution may well be one of the most useful tools ever created.

I'm not personally taking the time to test this script, for the simple reason that Aurbuild suits me just fine (plus it has sentimental value as I am the original author). Anyone not interested in it is also free to not try it, but I see no reason to put it down.

Dusty

+1

Offline

#18 2006-10-23 01:31:35

twiistedkaos
Member
Registered: 2006-05-20
Posts: 666

Re: Tool to install aur packages with one command

Very nice tool indeed. Makes my aur packaging installs alot, and I mean alot easier. smile. Thanks!

Offline

#19 2006-10-23 07:24:53

Romashka
Forum Fellow
Registered: 2005-12-07
Posts: 1,054

Re: Tool to install aur packages with one command

iphitus wrote:

this script is unsafe and dangerous, as well as a duplication of other efforts.

it is unsafe, because it offers no protection against packages not marked safe, and it is dangerous as it will happily download packages that have been removed from the AUR because they are unsafe/dangerous, as their PKGBUILDS are not removed from the server.

This script is good for me as a quicker companion for aurscripts package.
Simple, small, and does its job.
I always review all PKGBUILDs I install, and if somebody does not, then aurbuild nor yaurt nor dpkg will not help. Why? Because Safe flag doesn't mean that this PKGBUILD is really safe! wink That's because only one version of PKGBUILD is reviewed and marked as Safe. Next version of PKGBUILD can have malicious code. This was already discussed in tur-users ML IIRC.

iphitus wrote:

as for not liking python to the extent of not having it on your system? heh, grow up, 10mb wont kill you, and opens you to a great range of new applications.

I don't like Python, Ruby, Java and especially C#/Mono.  :twisted:  And I don't use any software written in them. That's a matter of taste.  tongue

iphitus wrote:

I suggest you remove this, and start using one of the safer alternatives, qpkg, aurbuild or yaourt.

I won't do this, of course. smile
They are not much safer than aur-install, for reasons described above. I tried them all but from all AUR tools I use aurscripts, aur-install and aurup now. That's a matter of taste.


to live is to die

Offline

#20 2006-10-23 13:46:44

iphitus
Forum Fellow
From: Melbourne, Australia
Registered: 2004-10-09
Posts: 4,927

Re: Tool to install aur packages with one command

*shrug* im just passing on the constructive criticism I received for my own equivalent script that works exactly the same way which I wrote a year ago.

The difference between this and the other ones, is this still offers packages that have been removed from the AUR because they're unsafe. That I believe is a pretty big flaw.
Saying 'yeah, but there's a view option' doesnt count. I know that a lot of you out there dont use the view option, myself included -- and it's quite simple to make a damaging command appear quite harmless or unnoticable.

Someone mentioned, not sure whether here, or the AUR comments, that just because a package is marked safe, doesnt mean it's safe. I'll disagree there, a package marked safe, should have been built and installed on a TU's system, then marked safe. Packages lose the safe mark after being updated Romashka. Sure, there's always the chance a TU will mark it incorrectly, but the chances of that are pretty low.

as for anyone wanting it because it's bash, there's yaourt which is also bash.

I dont see the point, as there's just as easy to use alternatives, already well developed. At least 4 scripts to do exactly the same thing, - with the only major distinguishing differences being the method of passing options, and the language used, although now two duplicate on that too - seems somewhat silly to me. If you dont like an existing one, send a patch or request a change, otherwise you're wasting time and just muddying the waters further. Make some attempt to collaborate!

oh well, my 0.02

James

Offline

#21 2006-10-23 16:11:00

Romashka
Forum Fellow
Registered: 2005-12-07
Posts: 1,054

Re: Tool to install aur packages with one command

iphitus wrote:

*shrug* im just passing on the constructive criticism I received for my own equivalent script that works exactly the same way which I wrote a year ago.

OK. But IMHO it would be more correct to say: "this package has the following flaws, limitations, security issues" than "do not use this package!" or "there's no need for this because there are A, B and C already". I agree with Dusty here.

iphitus wrote:

The difference between this and the other ones, is this still offers packages that have been removed from the AUR because they're unsafe. That I believe is a pretty big flaw.
Saying 'yeah, but there's a view option' doesnt count. I know that a lot of you out there dont use the view option, myself included -- and it's quite simple to make a damaging command appear quite harmless or unnoticable.

I, for example, do review all PKGBUILDs, but not to check for malicious code or some typos that can do damage, but simply for interest.
There's also some kind of trust for some user's packages.  tongue

iphitus wrote:

Someone mentioned, not sure whether here, or the AUR comments, that just because a package is marked safe, doesnt mean it's safe. I'll disagree there, a package marked safe, should have been built and installed on a TU's system, then marked safe. Packages lose the safe mark after being updated Romashka. Sure, there's always the chance a TU will mark it incorrectly, but the chances of that are pretty low.

Hmm, then I was wrong about Safe flag... Sorry.
But only less than half of all packages in Unsupported are marked as Safe.
Some packages have more than 10 votes and not checked by TUs for few months. I mean, if user wants to install some "unsafe" package, what he/she should do? I would review PKGBUILD by myself and install it.

iphitus wrote:

as for anyone wanting it because it's bash, there's yaourt which is also bash.

Yes, yaourt is nice. But there are so many bug reports in comments (I know that they get fixed quite quickly, but anyway). And they will be, because aurbuild/qpkg/yaourt are more complex.
aur-install does its work well, and it's easier than using aurdownload from aurscripts. As for security - I can check this by myself. If I forget and my system will get some damage because of bad PKGBUILD/.install then I will not complain to the author of aur-install anyway.

So, I don't see big problem here, at least for me. And IMHO your suggestion to remove it is not "politically correct".  smile

iphitus wrote:

I dont see the point, as there's just as easy to use alternatives, already well developed. At least 4 scripts to do exactly the same thing, - with the only major distinguishing differences being the method of passing options, and the language used, although now two duplicate on that too - seems somewhat silly to me. If you dont like an existing one, send a patch or request a change, otherwise you're wasting time and just muddying the waters further. Make some attempt to collaborate!

You have valid point here. But we live in non-ideal world. smile
Why there are tens of music players for GNOME, 3 text editors and CD players in default KDE, many WMs and "Yet another insert-your-favourite-program-here" tools??? wink

Seriously, I think that aur-install and aurup can be merged with aurscripts if their authors agree to collaborate. But this will be their decission.

Is it correct to suggest some author to remove his script from AUR just because there are 2-3 scripts there? What if new script will become better and will gain more popularity than already existing, or if their authors abandon the development? I think this is unfair to the new scripts author. Note: I'm talking about generic situation here, not about concrete things.

James, I understand your point of view about security, but I think that mentioning that this packages doesn't check Safe flags and can install removed package (user must know its name at least, so I suppose he/she knows what he/she is doing wink ) instead of suggesting to remove and don't use it will be a better solution.

As for collaboration. Well, yes! Let encourage all script-writing guys to collaboration. As I said before, IMHO at least aur-install and aurscripts and maybe aurup too can be merged together into one set of scripts (not one huge script!). But I cannot decide anything anyway, so it is up to authors.
I like to see the growing collaboration between Arch, Archie and larch.
And would like to see the same (where this is reasonable) for different scripts made by Arch users.


to live is to die

Offline

#22 2006-10-23 17:06:35

Snowman
Developer/Forum Fellow
From: Montreal, Canada
Registered: 2004-08-20
Posts: 5,212

Re: Tool to install aur packages with one command

Romashka wrote:
iphitus wrote:

Someone mentioned, not sure whether here, or the AUR comments, that just because a package is marked safe, doesnt mean it's safe. I'll disagree there, a package marked safe, should have been built and installed on a TU's system, then marked safe. Packages lose the safe mark after being updated Romashka. Sure, there's always the chance a TU will mark it incorrectly, but the chances of that are pretty low.

Hmm, then I was wrong about Safe flag... Sorry.
But only less than half of all packages in Unsupported are marked as Safe.
Some packages have more than 10 votes and not checked by TUs for few months. I mean, if user wants to install some "unsafe" package, what he/she should do? I would review PKGBUILD by myself and install it.

Actually, the safe flag only means that the package follows the package guidelines and doesn't contain malicious commands. This can be done by a visual inspection of the PKGBUILD and accompanying files. I only builds the package if I'm interested in it or if there is a strange/unusual command in it. At least, that's how I see safe flagging and I'm pretty sure some other TUs think the same. Maybe we need to clarify the steps to do before marking a package safe.

The reason why a lot of packages have not being checked by a TU is because checking packages (safe flagging) is not very popular among TU.  From time to time, there are periods when I check the AUR for safe flagging on daily basis. The other TU either check the AUR very occasionnally or not at all. With over 100 new/updated PKGBUILD per week, safe flagging is a lot of work just to keep up. And users repeat the same errors, so you keep saying the same "Fix this ..." blurb. It's quite tiresome. I don't really know how to fix the situation. Maybe a prospective TU candidate would be willing to focus on safe flagging packages. Maybe a safe flagging day would be a temporary solution.

Offline

#23 2006-10-23 18:36:33

Romashka
Forum Fellow
Registered: 2005-12-07
Posts: 1,054

Re: Tool to install aur packages with one command

Snowman wrote:

The reason why a lot of packages have not being checked by a TU is because checking packages (safe flagging) is not very popular among TU.  From time to time, there are periods when I check the AUR for safe flagging on daily basis. The other TU either check the AUR very occasionnally or not at all. With over 100 new/updated PKGBUILD per week, safe flagging is a lot of work just to keep up. And users repeat the same errors, so you keep saying the same "Fix this ..." blurb. It's quite tiresome. I don't really know how to fix the situation. Maybe a prospective TU candidate would be willing to focus on safe flagging packages. Maybe a safe flagging day would be a temporary solution.

You're right. I'm not a TU but think that checking more than 3300 packages in Unsupported should be tiresome.
There are some popular packages which receive updates each week or so - do they change from Safe to "not Safe" each time then?  :?
Maybe the following auto-notify system for TUs can made some things easier: when a package marked Safe is bumped to new version it is added to the end of the special list (which can also be sorted by the number votes), which is visible for TUs only.  :?

Safe flagging day? Hmm... sounds very interesting. Especially when ordinary users can take part in it too (I mean like on Bug Day on #archlinux-bugs) - users can point to packages that they use and that are safe. But IRC channel is not very suited for this kind of work, IMHO. A wiki page, maybe?  :?  (of course, if only TUs can take part in Safe Flag Day then there's no problem at all)


to live is to die

Offline

#24 2006-10-24 05:19:18

Snowman
Developer/Forum Fellow
From: Montreal, Canada
Registered: 2004-08-20
Posts: 5,212

Re: Tool to install aur packages with one command

Romashka wrote:

There are some popular packages which receive updates each week or so - do they change from Safe to "not Safe" each time then?  :?

Yes. As iphitus said, each time a PKGBUILD is updated it is automatically unflagged safe.

Romashka wrote:

Maybe the following auto-notify system for TUs can made some things easier: when a package marked Safe is bumped to new version it is added to the end of the special list (which can also be sorted by the number votes), which is visible for TUs only.  :?

I don't think that will help.  Usually, you would check the latest submitted PKGBUILD. Having that list won't make safe flagging easier or less work.

Romashka wrote:

Safe flagging day? Hmm... sounds very interesting. Especially when ordinary users can take part in it too (I mean like on Bug Day on #archlinux-bugs) - users can point to packages that they use and that are safe. But IRC channel is not very suited for this kind of work, IMHO. A wiki page, maybe?  :?  (of course, if only TUs can take part in Safe Flag Day then there's no problem at all)

A wiki page won't help as well as users pointing out packages they think are safe as TU must still check them out. What would help would be to users to go over their PKGBUILD and to make sure that they follow the guidelines and that email notification is on. And on safe flagging day (if there is one), to make the corrections suggested by TUs and to notify them via IRC so the package can be rechecked and flagged safe.

Offline

#25 2006-10-24 06:30:56

iphitus
Forum Fellow
From: Melbourne, Australia
Registered: 2004-10-09
Posts: 4,927

Re: Tool to install aur packages with one command

Romashka wrote:
iphitus wrote:

*shrug* im just passing on the constructive criticism I received for my own equivalent script that works exactly the same way which I wrote a year ago.

OK. But IMHO it would be more correct to say: "this package has the following flaws, limitations, security issues" than "do not use this package!" or "there's no need for this because there are A, B and C already". I agree with Dusty here.

uh, that's exactly what I did underneath that statement.... anyway.... i've said what I need to say.

fuck political correctness. seriously. once people start mentioning that, everything goes to crap. Or should I say, "generic and non insulting, non discriminating, non religious, non racist, non sexist comment of dismay regarding political correctness".

dont you dare tell me what's correct and what's not.

sorry that you landed on one of my pet hates smile

Cheers,
James

Offline

Board footer

Powered by FluxBB