You are not logged in.
Hi all
Is this an appropriate way to auto update an AUR package without using an AUR helper?
Thanks
# /etc/systemd/system/update_sonarr.service
[Unit]
Description=Update Sonarr-Develop AUR Package
[Service]
Type=simple ExecStart=/bin/bash /usr/local/sbin/update_sonarr.sh
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/update_sonarr.timer
[Unit]
Description=Run update_sonarr daily
[Timer]
OnCalendar=daily Persistent=true
[Install]
WantedBy=timers.target
# /usr/local/sbin/update_sonarr.sh
#!/bin/bash
# Navigate to the package directory
cd /opt/sonarr-develop || exit
# Update the source
git pull
# Run makepkg as 'nobody'
runuser -unobody makepkg -src
# Source PKGBUILD to get variables
source PKGBUILD
# Determine architecture. Note: Adjust this as necessary if your Arch naming differs.
_arch=$(uname -m)
# Construct the filename. This assumes the package extension is .xz,
# but you should adjust the extension based on the actual output of makepkg.
# Common extensions include .xz, .zst, .gz, etc.
filename="${pkgname}-${pkgver}-${pkgrel}-${_arch}.pkg.tar.xz"
# Install the package with pacman
pacman -U "$filename" --noconfirm
Last edited by twist-rise (2024-07-14 19:00:30)
Offline
It was made with some prodding of gpt4, which I know is probably frowned upon, as well as reading the wiki.
Offline
sourcing a PKGBUILD is considered very dangerous and not used by any aur helper.
makepkg does it, but uses special methods that significantly reduce the risk.
Read .SRCINFO to get the needed vars.
Other then that, updating any aur package without vetting the PKGBUILD is a very bad idea .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
ok thank you for warning me.
I will not do this then.
Last edited by twist-rise (2024-07-14 20:04:26)
Offline
It would be cool to get an email stating that the AUR has been updated with a diff, so I can go in and run the update perhaps.
Offline
There's also no need to read .SRCINFO if all you want the information for is to install the package: makepkg has an -i flag for that.
While one should (re)check any PKGBUILD before building and update, this is a much bigger concern if you run a script like this that blindly installs new content as root on a daily basis without checking on that content. Running this timer would make it beyond trivially easy for your whole system to be taken over by someone else: most trivially by the maintainer of any aur package you apply this to, but also the upstream source author, or anyone who can manipulate either of these two, or any potential MITM for either of these sources.
Last edited by Trilby (2024-07-14 20:15:13)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
As I understood it, if I use -i I need sudo as it installs the package on the system.
This meant the script would need to run "sudo makepkg -sirc" perhaps.
It seemed easier to do it the other way around: to make the whole script as root, and then run makepkg without elevated privileges. However I understand it is not a good idea to auto install from AUR. I guess because the changes aren't vetted.
Last edited by twist-rise (2024-07-14 20:19:05)
Offline
It would be cool to get an email stating that the AUR has been updated with a diff,
AUR supports several types of email notification one of which is 'Notify of package updates' ( check my account while logged into aur) .
Every time a package you have notifications enabled for gets a new commit will then trigger a message.
A diff is not part of the message, but it's a git commit so getting the diff is easy..
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
I've installed auracle and use it's "outdated" function as a pacman hook, so after performing a system update it will tell me if any of my foreign AUR packages need looking at, the process of which is the normal manual process of git pulling, checking PKGBUILD, and building. So I still follow the recommendations with regard to the AUR, but with a bit more quality of life.
That is if you don't want to go the email route.
Desktop: Ryzen 7 1800X | AMD 7800XT | KDE Plasma
MacbookPro-2012 | MATE
Offline
Note that there can be two very different meanings of an AUR package being "outdated" that seem to be getting conflated here. One is when the actual AUR content changes - i.e., there's an increment to pkgver and / or pkgrel. The other is when an AUR package needs to be rebuilt due to system package (e.g., library) updates even when the AUR package itself has not changed at all.
Then, of course, neither of these covers VCS packages for which the best tool to determine whether they should be rebuilt is /bin/yes.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
makepkg does it, but uses special methods that significantly reduce the risk.
This is not true, makepkg sources the PKGBUILD like any other bash script. (The "source_safe" just preserves shell options and checks the exit status of "source".) You could do things like unset PATH, but then you would severely limit what you can do in PKGBUILDs.
Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby
Offline