A general question (discussion?) about pacman, repos, etc.

yochaigal · 2011-02-08 04:43:28

Hello all. Please note that I have searched both the forums and the wikis for an answer to this question; and have yet to find a solid one. Please forgive me for my ignorance (note: I'm a long time advanced linux user, not my first distro).
I'll ask the question, then explain: Why not AUR AND large community repositories?
Here is my understanding of how arch handles packages:

By default, a new arch install has a core, and extra, and a community repository; Let's leave out multilib and testing for now. These contain all essential packages and many non-essential packages (flashplugin, chromium, etc). There are MANY packages unavailable in these repositories, however (packagekit, googletalk-plugin, etc).
That's where AUR comes in. Now, don't get me wrong; I LOVE AUR and it absolutely kicks ass for what it is. Literally EVERY package I've wanted is easily available through the web interface, and programs like yaourt only make it that much easier!
But here's my issue: installing packages (from source, obviously) is great; in other distros (ubuntu, fedora) I've done this from time to time for various reason. But I don't ALWAYS want to do this --- and for a lot of programs I'd rather have a quick precompiled install and move on (I like control, yes, but when I want it). For instance, lets say I want to install the clementine music player: I can't find these in the default repos; happily I found it in AUR using yaourt. But I have to compile it, while many distros (and the developers' site) have precompiled rpm or deb packages. That's not the only issue: sometimes there are dependencies that are NOT available in the repos, and makepkg can't proceed.
Of course, I can easily find these dependencies in the AUR, and in a few minutes I've pulled those down (and maybe THEIR dependencies) and I'm good to go.
As another example: I wanted to install gnome-packagekit. Neither that package not packagekit itself were available in the standard repos; a quick AUR lookup and after 10 minutes or so I was good to go (I uninstalled it).
I think I would have been happy to have been able to install it more easily, since I just wanted to check it out (I could always use AUR instead).
Again, this is all fine and dandy --- there is nothing wrong with AUR, it freakin' rules.
But why can't we have an optional repository that contains a lot of what AUR has? I've seen smatterings of talks about certain french repos, but there seems to be no official consensus on this. I love AUR and will continue to use it, but there are times where I really just want to install the package and wish the repos just had them.

So why not a standard repo like ubuntu's medibuntu, or fedora has one (I've forgotten its name). I am not saying anything should be done; just wondering why, or if my entire perspective is wrong?
If I've described things incorrectly please let me know, and thank you for your time. Arch is handsdown the best distro i've ever used.

yochai

Last edited by yochaigal (2011-02-08 04:46:26)

Stebalien · 2011-02-08 04:49:23

Not enough maintainers.

P.S. Take a look at AUR helpers such as clyde and bauerbill.

yochaigal · 2011-02-08 04:50:20

That seems like a suitable answer.

Thanks.

ngoonee · 2011-02-08 07:05:05

yochaigal wrote:

That seems like a suitable answer.
Thanks.

Also note that the AUR is a User repository and unsupported. You can literally upload anything there, no security features available at all. That's why you can pretty much find anything there, because its the sum of what every Arch-user is using, basically.

[community] needs maintainers, and they need to be trusted. Also putting really large files in [community] puts a strain on the various mirrors (all of which are donated), so packages which are less used don't get to go there (even if a particular TU uses them), to cut down on bloat.

Clyde and Bauerbill, among other helpers, simplify most of the process, but they shortcut the first part about there being no security at all in the AUR. Or rather, those who use them will eventually get used to shortcutting that part (both programs are actually pretty clear about the necessity of checking the PKGBUILD first, but I suspect most using them don't bother).

flan_suse · 2011-02-08 08:23:38

ngoonee wrote:

Clyde and Bauerbill, among other helpers, simplify most of the process, but they shortcut the first part about there being no security at all in the AUR. Or rather, those who use them will eventually get used to shortcutting that part (both programs are actually pretty clear about the necessity of checking the PKGBUILD first, but I suspect most using them don't bother).

I'm half-guilty of the same! I will read the comments of a package on the AUR before proceeding, and depending on my risk level, I will sometimes go through the PKGBUILD. Anything dealing with the sources can be easily verified by visiting the web site and checking the md5/sha hash. As long as you trust the link, there's no way (practically) that even a malicious packager can tamper with the md5/sha check. The dangerous part is most likely going to be the steps in the build() process of the PKGBUILD. Then again, in most cases you're building as a normal user, not root. There's always convenience versus safety, and each person is responsible for managing this balance for themselves.

yochaigal wrote:

But why can't we have an optional repository that contains a lot of what AUR has?

I feel your pain about having to build packages from the AUR which can take a while to compile, such as a custom kernel or Firefox build. It especially compounds when updating packages from the AUR, since even a minor change means the entire program or kernel needs to be recompiled. This process is much longer and more CPU intensive than just downloading and installing a prebuilt package. This is why I add custom kernels from the AUR to my IgnorePkg list under pacman.conf. It's not worth recompiling a kernel on my laptop just to update a small change. I will manually do "bauerbill -Syu kernel26-foo" when I read about a major kernel update (e.g, 2.6.36 ---> 2.6.37).

If there's enough popularity for something, Arch makes it possible for people to set up their own repositories that you can add to your list, and thus circumvent the build process.

Two prime examples are firefox-kde-opensuse and kernel26-ck.

This still carriers the same security concerns as the AUR, with the exception that at least with the AUR you can view the PKGBUILD and sources.

Last edited by flan_suse (2011-02-08 08:28:37)

ngoonee · 2011-02-08 08:44:30

flan_suse wrote:

ngoonee wrote:
Clyde and Bauerbill, among other helpers, simplify most of the process, but they shortcut the first part about there being no security at all in the AUR. Or rather, those who use them will eventually get used to shortcutting that part (both programs are actually pretty clear about the necessity of checking the PKGBUILD first, but I suspect most using them don't bother).
I'm half-guilty of the same! I will read the comments of a package on the AUR before proceeding, and depending on my risk level, I will sometimes go through the PKGBUILD. Anything dealing with the sources can be easily verified by visiting the web site and checking the md5/sha hash. As long as you trust the link, there's no way (practically) that even a malicious packager can tamper with the md5/sha check. The dangerous part is most likely going to be the steps in the build() process of the PKGBUILD. Then again, in most cases you're building as a normal user, not root. There's always convenience versus safety, and each person is responsible for managing this balance for themselves.

You have to do the actual install of the package as root, which includes sourcing and running the $package$.install file.

karol · 2011-02-08 10:54:43

yochaigal wrote:

But why can't we have an optional repository that contains a lot of what AUR has?

There are http://wiki.archlinux.org/index.php/Uno … positories , e.g.

[archstuff]
# AUR's most voted packages
Server = http://archstuff.vs169092.vserver.de/$arch

Arch Linux

#1 2011-02-08 04:43:28

A general question (discussion?) about pacman, repos, etc.

#2 2011-02-08 04:49:23

Re: A general question (discussion?) about pacman, repos, etc.

#3 2011-02-08 04:50:20

Re: A general question (discussion?) about pacman, repos, etc.

#4 2011-02-08 07:05:05

Re: A general question (discussion?) about pacman, repos, etc.

#5 2011-02-08 08:23:38

Re: A general question (discussion?) about pacman, repos, etc.

#6 2011-02-08 08:44:30

Re: A general question (discussion?) about pacman, repos, etc.

#7 2011-02-08 10:54:43

Re: A general question (discussion?) about pacman, repos, etc.

Board footer