Okay that clarified things a bit!
So AUR itself does not contain any packages, it only has a PKGBUILD which is basically an instruction on where to get the package and how to build it.
Do I get this right now?
3 Likes
Yes. There are 2 things you should pay attention to in the PKGBUILD file: what the download source URL is (usually the main developer’s site), and the PKGBUILD file in general (as it contains shell commands to build and install the package). If something seems odd (e.g. untrustworthy source URL, or strange shell commands), don’t install the package. But so far I haven’t encountered any harmful AUR package. So there’s probably rarely any malicious stuff (if at all). It’s still good practice to always check the PKGBUILD for oddities. If you use “pacaur” to install packages from AUR (for example), it will always offer you to view the PKGBUILD file before building/installing the package (and it defaults to yes).
1 Like
What about bin files that are already prebuilt? Is there anyway to check those properly apart from reading any pinned comments etc
As long as the programs from the repos are sufficient for the user, the question of the AUR will not arise. But I don’t know anyone in my Manjaro environment, who doesn’t depend on builds from the AUR. So I find it all the worse, that there are e.g. outdated builds which are based on QT4, or device drivers, that have long been obsolete. Before one deals with the safety of the AUR, the garbage should first be removed there, in order to create an overview. Otherwise the AUR will remain poking around in garbage for usable items. And yes, the question is, who should do it.
That is why, the first time you install something from the AUR or when you enable it, I can’t remember which, you receive a warning informing you that it’s not Manjaro’s software or the responsibility of Manjaro. That you’re on your own.
And there are comments on aur.archlinux.org that verify or discredits a package. And I believe it’s effective as well.
For me, I see a flooding problem with reading stuff at Manjaro.
Before an update: read the announcements
Before installing from AUR: read the comments from aur.archlinux.org
After an unsuccessful installation from the repos: read in the communty, what could have gone wrong.
I can understand people well, for whom this is too much expense for an supposedly, simple operating system. No offense…
None take.
I understand completely where you’re coming from. But simple != brainless.
I really, really, really hate the “feed me with a spoon or I’m not having any” attitude some people have.
People are born with brains. They should actually use them. It opens a whole new world!
1 Like
You could told me more kindly, that you can’t live with my opinion. I hope this remains an isolated incident. All the best 
Also, the entirety of an operating system including all programs running on it can hardly be called “simple”. 
In general, repositories like the default pacman package repositories or other repositories of other distros or the AUR as a user repository should already offer quite a bit of security because they are used by lots of other people, the packages are flagged, voted on, commented on, etc. There is little room for malicious uploads. Like in any repository (or “store” if you will).
Windows users are comparatively more at risk (maybe without realizing it) because they’re used to going to lots of different websites from lots of different developers or companies to download their packages from, and there’s always a chance that one of those sites might offer malicious downloads. It’s also quite “normal” that big download sites offer customized installers to include various spyware. The user has to be aware of that at all times.
Linux users have the luxury of getting their stuff usually from just in 1 or very few places and there’s less room for malicious packages. I think overall the risk is quite low.
But, as always: security is a process. Not a button, not a software, not a one-time-thing that you forget at some point. It’s a constant process and the user has to incorporate that into every decision he makes. That means: better to be safe than sorry. If you know bash scripts, it takes just a few seconds to go over a PKGBUILD file. And then you can sleep better at night.
5 Likes
I can live with it, just not by it, and I wasn’t trying to offend or be rude. Apologies if it came over that way.
And you too, man!
Your assertions (and examples) that 'garbage should be removed` is absolutely meaningless to that person who might need that QT4 application, or who have a 'puter from the early 00’s that need that old driver.
Are you using python2 anywhere? If you are, when the Arch devs finally rid Arch of python2, should everything python2 in the AUR be arbitrarily deleted as well?
I just do not understand…
The QT-4 support was officially discontinued by the Manjaro team with the December update. What sense does it make to continue to bet on a dead horse QT-4, especially since QT-6 is already in the starting blocks? Now experiences with drivers from the AUR . As an example, I will name a driver from the AUR for the Epson V370 scanner. If you install it again under XFCE after the Manjaro November update, your working scanner will turn into a humming corpse that can only be reanimated with timeshift. I mean to say that AUR is always playing with fire and, in my experience, the slightest concerns about safety are to be seen. The number of reports of non-working software from the AUR compared to reports of potential dangers seems to admit my experience. In conclusion, I have now given my opinion on this controversial issue.
By the way, there is always an easier answer; isn’t it?.. For all the newbies here; if you want to see whether a package is worth considering or not follow this pretty easy tip, considering you have the AUR set up on your system:
- Open Pamac the same way you open any other program on your chosen DE.
- Click on the search button on the top left of the Pamac window.
- Type your desired package name on the search bar. Let us to use “Google Chrome” as an example.
- A list of packages will to be presented to you. Among the first packages listes you’ll find “google-chrome 89.0.4389.90-1”. This is the current Chrome stable release for the web browser (developer, beta or open source Chromium packages might to be shown before this package, among some chromium plugins from the official repositories). Now double-click the package name.
- Now you’ll notice there is a page with lots of information. The ones really relevant are:
a) The program source’s website.
b) The package build AUR location website.
c) First submission date.
d) Last modified date.
e) Votes. - With all this information on hand you have all the basics to consider a package’s relevance. Obviously such a long gone unmaintained package is very likely prone to not work very well on your system… A rarely, if ever voted package is prone to not be worth as well, unless it is pretty recent. The choice is your’s ultimately!..
Note: I don’t know any package system garbage free, unless it is brand new or mostly unused!.. Fortunately here in Linux, at least we have things mostly centralized right now… But again: The user has the final word!..
Have a nice day!..
I think so too.
I assume that because of my lack of understanding, you will now also provide an explanation that everyone can read here and also understands and leaves no more questions unanswered. Please don’t leave us hanging now. Come on, dare.
1 Like
Neither do I. The question was, whether the AUR package management is safe and I wrote, that you can also find a lot of garbage there. We basically agree.
1 Like
To say the least, all that what the other guys wrote is perfectly certain from a technical point of view, but now there are those practicalities that most of us do need. There are the ones, me included, whom just want to be the “eternal newbies”… Maybe I’ve grown a little bit more? Who knows, but I like to share what I’m learning in such a popular wording. I’m a Philosopher myself as main University/College formation, then an Archivist and Financial Market Risk Analyst from where I retired recently… And one of the things I’ve learnt within my life time is that you’ll to be happier the way you share a little bit more than was here from your experience… So, that is an always ongoing process… I won’t be always here… But now that I have some time count with me to help a little bit when possible!..
Have a nice day!..
That’s the price of having a rolling distro with fresh package versions all the time.
You have to put some effort in.
Otherwise use a fixed release and upgrade every few years (or months, if you use fedora). Nothing wrong with that, as it’s whatever fits the user best.
Or use Solus as a more " brainless" rolling distro, but note its repos and packages are more limited than in the arch/AUR ecosystem. Search for the Manjaro versus solus thread.
There’s always some cost to the choice you make.
3 Likes
2 posts were split to a new topic: If I install a package from the AUR manually, will it be updated with an AUR helper?
Off topic posts were moved/ deleted.