Why is there no support for aur in pacman?

AndreasBWagner · 2010-09-19 00:47:09

I may be wrong but it seems there is no aur support in pacman because aur packages should not be assumed safe. This could be fixed by adding an option to view and edit the PKGBUILD etc before building and/or installing as is done in yaourt. I think adding a warning and commenting out the aur line in the default pacman.conf would be enough warning for arch users to use aur with care. I see no need to add inconvenience.

Right now most users resort to hacks such yaourt. Also makepkg -s depenency handling does not support aur.

I don't know how hard it would be to add support for aur in pacman but I think it should be added to the roadmap.

karol · 2010-09-19 00:52:41

NFW ;P

What's wrong with AUR helpers? I wouldn't call e.g. bauerbill 'a hack'.

chris-kun · 2010-09-19 01:17:56

yeah clyde is also awesome.. just as functional if not moreso than pacman.

skottish · 2010-09-19 01:40:42

AUR packages should be assumed safe? There's no one policing the AUR except a relatively few astute users. I've seen more than one package that drops executables in the user's home folder, which is totally insane.

Last edited by skottish (2010-09-19 01:43:52)

karol · 2010-09-19 01:44:56

skottish wrote:

AUR packages should be assumed safe? There's no one policing the AUR except a relatively few astute users. I've seen more than one package that drops executables in the user's home folder, which is totally insane.

From the bauerbill manpage:
--blindly-trust-everything-when-building-packages-despite-the-inherent-danger
This option enables pacman's "--noconfirm" option to bypass the PKGBUILD and install file inspection
prompt for all packages. This option is VERY DANGEROUS and IT IS NOT RECOMMENDED THAT YOU USE THIS.
The only reason that this is included is because some users desperately want this functionality.

The author highly recommends using the options to trust ABS packages and specific AUR users instead of
this option, which can be used to achieve essentially the same effect.

AndreasBWagner · 2010-09-19 01:56:06

skottish wrote:

AUR packages should be assumed safe? There's no one policing the AUR except a relatively few astute users. I've seen more than one package that drops executables in the user's home folder, which is totally insane.

AndreasBWagner wrote:

aur packages should NOT be assumed safe.

skottish · 2010-09-19 02:05:01

AndreasBWagner wrote:

skottish wrote:
AUR packages should be assumed safe? There's no one policing the AUR except a relatively few astute users. I've seen more than one package that drops executables in the user's home folder, which is totally insane.
AndreasBWagner wrote:
aur packages should NOT be assumed safe.

Are you implying that I should read all of the words in a sentence?

*** skottish crawls away ***

Sorry about that.

With all due apologies, all of the tools necessary are already in place; It just takes user diligence.

Last edited by skottish (2010-09-19 02:06:33)

Mr.Elendig · 2010-09-19 02:19:16

I have personally seen a few nasty PKGBUILD and .install files, including a load of rm -rf /usr/share/stuff instead of rm -rf $pkgdir/usr/share/stuff and similar.

One .install file was so helpfull that it did a rm -rf /home/mpd when you uninstalled the package.....

Anyway, it's just as much about deniability as of the security of aur packages. As an example refer to the whole ion3 issue some years ago.

codycarey · 2010-09-19 02:38:13

skottish wrote:

It just takes user diligence.

I wish I could buy you a lifetime supply of something you thoroughly enjoy.

fukawi2 · 2010-09-19 03:42:57

It's too dangerous for users who don't understand the concept of AUR.

It is USER SUPPLIED CONTENT, with no form of quality control or review process. As opposed to official packages provided by distribution devs, and *trusted* users.

It would be improper to officially provided automated methods to install user content that could do anything to your system. Use of the 'makepkg' tool is official, but it's a totally different process to reinforce the distinction between the 2 types of 'packages'

Allan · 2010-09-19 05:14:28

Finally, the AUR is Arch specific. pacman is not distribution specific. The pacman developers will not accept distribution specific features.

Cdh · 2010-09-19 07:54:35

fukawi2 wrote:

It's too dangerous for users who don't understand the concept of AUR.

You should not implement features because users could be too stupid to use them?
I don't think that goes well with the philosophy of Linux distributions like Archlinux...

fsckd · 2010-09-19 08:02:48

Cdh wrote:

fukawi2 wrote:
It's too dangerous for users who don't understand the concept of AUR.
You should not implement features because users could be too stupid to use them?
I don't think that goes well with the philosophy of Linux distributions like Archlinux...

Starting from next year Archlinux will be Ubuntu based.

ngoonee · 2010-09-19 08:43:31

I'm not sure what the issue is here.

pacman -Ql pacman | grep makepkg
pacma /usr/bin/makepkg

Pacman has full support for AUR packages, right now and as is. Users who are too stupid to use makepkg have no business installing anything from the AUR .

Allan · 2010-09-19 09:44:30

Allan wrote:

Finally, the AUR is Arch specific. pacman is not distribution specific. The pacman developers will not accept distribution specific features.

Just repeating, THIS is the reason pacman does not support the AUR.

The reason AUR helpers do not get added to [community] is that AUR is completely unsupported content.

Those are two different things.

fukawi2 · 2010-09-19 11:52:51

Cdh wrote:

fukawi2 wrote:
It's too dangerous for users who don't understand the concept of AUR.
You should not implement features because users could be too stupid to use them?

Same reason rm has the --no-preserve-root option

AndreasBWagner · 2011-01-28 22:00:13

My biggest problem with this is insufficient integration between makepkg+pacman+etc with aur, for example "makepkg -s" will not get dependencies from AUR.

* AUR needs to look like another repository such as community (with the exception of no sources or binaries included).
* Pacman and similar need to make it possible to check out the PKGBUILDs before installing them for regular repositories not just AUR, because anyone can set up a repository.

I am considering coding and setting up an AUR-to-Unofficial_User_Repository interface on google appspot for the purpose of using AUR with pacman & "makepkg -s" but I still could not edit/inspect buildscripts before using them.

Xyne · 2011-01-28 23:32:22

AndreasBWagner wrote:

My biggest problem with this is insufficient integration between makepkg+pacman+etc with aur, for example "makepkg -s" will not get dependencies from AUR.
* AUR needs to look like another repository such as community (with the exception of no sources or binaries included).
* Pacman and similar need to make it possible to check out the PKGBUILDs before installing them for regular repositories not just AUR, because anyone can set up a repository.
I am considering coding and setting up an AUR-to-Unofficial_User_Repository interface on google appspot for the purpose of using AUR with pacman & "makepkg -s" but I still could not edit/inspect buildscripts before using them.

Or you could just bauerbill, or clyde, or yaourt, or any one of the others that fully automate this process.

litemotiv · 2011-01-28 23:37:54

Xyne wrote:

Or you could just bauerbill, or clyde, or yaourt, or any one of the others that fully automate this process.

^ This.

Closing this thread to avoid further repetition.

Arch Linux

#1 2010-09-19 00:47:09

Why is there no support for aur in pacman?

#2 2010-09-19 00:52:41

Re: Why is there no support for aur in pacman?

#3 2010-09-19 01:17:56

Re: Why is there no support for aur in pacman?

#4 2010-09-19 01:40:42

Re: Why is there no support for aur in pacman?

#5 2010-09-19 01:44:56

Re: Why is there no support for aur in pacman?

#6 2010-09-19 01:56:06

Re: Why is there no support for aur in pacman?

#7 2010-09-19 02:05:01

Re: Why is there no support for aur in pacman?

#8 2010-09-19 02:19:16

Re: Why is there no support for aur in pacman?

#9 2010-09-19 02:38:13

Re: Why is there no support for aur in pacman?

#10 2010-09-19 03:42:57

Re: Why is there no support for aur in pacman?

#11 2010-09-19 05:14:28

Re: Why is there no support for aur in pacman?

#12 2010-09-19 07:54:35

Re: Why is there no support for aur in pacman?

#13 2010-09-19 08:02:48

Re: Why is there no support for aur in pacman?

#14 2010-09-19 08:43:31

Re: Why is there no support for aur in pacman?

#15 2010-09-19 09:44:30

Re: Why is there no support for aur in pacman?

#16 2010-09-19 11:52:51

Re: Why is there no support for aur in pacman?

#17 2011-01-28 22:00:13

Re: Why is there no support for aur in pacman?

#18 2011-01-28 23:32:22

Re: Why is there no support for aur in pacman?

#19 2011-01-28 23:37:54

Re: Why is there no support for aur in pacman?

Board footer