Express Repository: builds anyone's packages

I have created a small repository of PKGBUILDS. For the time being it's just that simple, but I will consider turning it into something more featured and useful. Suggestions are welcome.

Since you didn't listen to advice and constructive critcism from AUR Trusted Users and deleted everything from there, you're going to peddle your PKGBUILDs here?

EDIT: Also...

2 Likes

Exactly. Those constructive critics are the most disgusting people I have ever dealt with, and removing anything to do with them was a strategic decision.

Now it builds packages... for anyone:

This may be a question from lack of understanding but how does an end user know these binaries are what they say they are?

The package recipes are public. You can build the package yourself, and see if the checksum matches the pre-built ones.

Also those pre-builts are packaged and hosted by me, who has a digital signature linked to my identity card.

That means my degree of authentication, and the degree I could be held liable if I was distributing malware, is higher than anybody else.

I'm not sure I understand how that jives with ExpressRepo specs.

What is different about Express is that:

  • Packages are ready to use binaries, instead of just recipes that take long to compile.
  • Anyone can publish, instead of requiring gaining validation among a community.
  • Anyone can improve any other PKGBUILD, instead of falling all the work on a single maintainer.
  • The requirements for admission are the bare minimum to warrant sanity, instead of requiring perfect compliance with long sets of rules.
  • Those requirements are reviewed and warranted before publication, instead of letting them slip for a while till everyone discovers it's a trap.
  • No consensus or strict quality controls are required.
  • Everything is automated as far as possible, instead of requiring you to manually handle everything.
  • Instead of human supervision, Express relies on built-in quality to warrant reliability.

See "Legalese".

That says:

The contents of this repository, and derivative ones, take measures to prevent them from being harmful. For example by warranting that binaries belong to source code that anybody can review in search of dangerous operations.

and I hear:

So basically you can build the pkg yourself and check?

Further it says:

Even then Express contributors don't perform such reviews themselves. The results of using the software here, and whose software you trust is, in the last term, your sole responsibility.

and I hear:

However we aren't checking things and aren't responsible

Combined with some of the outlines of the above specs, I'd say this is a security nightmare. To do any sort of safety check I'd have to build the pkg and sum it myself? There has to be something I don't understand in this process?

The only way to know a package belongs to its source is by building it yourself. Anything else you are putting good faith in whatever system is packaging it, you can't really tell what happened there just by looking at the result without comparing it with something else.

Packages can additionally have digital signatures to warrant they haven't been tampered on the server, on a mirror or in transit.

But the server is just my own PC uploading to GitLab, transit is your ISP, and there's no mirror. There's nothing to sign here.

The worry for me personally here is that I cannot view the source code of a binary. I can do that using an AUR helper and building it on my own (I can edit it and change functionality as well). So with the AUR the faith is in myself and the proper tools to do such checks. Using the ExpressRepo the faith lies in the admin and the only tool to check for something malicious is to build the package thereby defeating the need for ExpressRepo?

I don't want to demean your project, it could just easily be not for me. I just feel like this is either pretty insecure or I don't grasp it correctly.

In Express any PKGBUILD is reviewed for security previous to publication, so the sources and website matches the naming the package suggests. Making impossible to impersonate another project.

So in Express if you want to review the source code you simply need to visit the web the package manager suggests, because that is impossible to be deceitful.

Compared with the AUR, which anyone could have put anything inside the PKGBUILD and it's the user who has to review everything.

Ok, I looked over one of the PKGBUILD files. So basically these binaries are built server-side and on demand then installed locally?

Yess.

Is not my thing to trow rocks at the Moon, but i'm glad you found a way to share your moon-rocks with us.
:slight_smile:

1 Like

So - example - if someone want ungoogled-chromium - then uploading the pkgbuild and the server will build the package - and everytime the pkgbuild is updated - the package is rebuilt?

Essentially a build-backend for AUR?

well can you tell me how it is different from
chaotic-aur

you just want a binary and dont want to compile it on your pc correct?

also if you want to replicate the aur.

but i see you are going the same way with how aur is.

what you want is basically just have admin access to aur

so you can publish somewhat broken pkg

but you also moniter and review.

whats this any different from aur.

you are making things complecated at the same time

maybe it can be good or bad but lets see...

1 Like

Oh no, way better than that :grin:

If you are aware of a new update for a package, you simply type its name here and it will be upgraded on the repository.

But even that is a temporal solution, it can be further automated to upgrade packages automatically and instantly on any new software release. That's why it's called "Express".

That's the main difference. You write a pkgbuild once and it keeps being valid for future releases without needing modification, except perhaps if there's a major change upstream.

The goal is that any packaging to be automatically handled, and only ask human attendance if it fails to build. So package maintainers can handle an insane amount of packages.

so basically you do the maintaining job

i dont know how much work you will need to do when you have 1000-1500
packages

well its you who has taken this endeavour

so best of luck

assuming you wont depend on existing aur
pkgbuilds

but if you do
then you are replicating chaotic-aur

2 Likes

Thanks, but I'm not into that type of conversation.

Forum kindly sponsored by