upvote

points

by anthonj6 hours ago |
comments
upvoteby OJFord6 hours ago|
next
[-]
`yay` (one such wrapper) shows me the PKGBUILD diff on every update. The first time I install something I verify the URL, and check any install script etc. seems sensible; the vast majority of subsequent updates are changes to just version number & checksum. A typosquat attack would be very obvious.

(It's a bit vulnerable to it on first install, but so is 'just navigate to the project website [and click download]'.)

reply
upvoteby anthonj6 hours ago|
parent|
next
[-]
But it's one middle man less.

Git repo have been attacked other times in the past, but a 500/1000 stars project still sounds more trustworthy than a user repository managed by randos with a couple of upvotes. I still use the aur for simple cases, but when I see aur packages depending on multiple other aur packages I immediately leave.

reply
upvoteby cromka1 hours ago|
parent|
prev|
[-]
Does it also show each patch involved?
reply
upvoteby OJFord3 minutes ago|
parent|
next
[-]
It shows the overall diff since last update, not patch-wise. But it does show any extra patch file, install script, etc. – not just the PKGBUILD – if that's what you meant.
reply
upvoteby gpm1 hours ago|
parent|
prev|
[-]
The manager I use (paru) does, I'd be surprised if yay doesn't.
reply
upvoteby zenoprax1 hours ago|
prev|
next
[-]
People continue to criticize Arch for being elitist or gate-keeping to keep casuals out but there are clear benefits by not allowing dangerous things to be simple. This is true in many aspects of life.

After using Void Linux I switched to `aurutils` to get a similar separation on Arch. I can easily maintain a local AUR repo by compiling/making my own binaries and can use `pacman` to install and manage them which improves the upgrade process overall.

reply
upvoteby pixelpoet6 hours ago|
prev|
next
[-]
> typoquatting

Perfect demonstration!

reply
upvoteby Grombobulous6 hours ago|
prev|
next
[-]
For me, this tradeoff isn’t worth it. I didn’t switch to Linux so that I can waste time going to websites and clicking “download” to update my programs like a Windows user.

The pacman wrappers you mention are crazy, though.

reply
upvoteby anthonj6 hours ago|
parent|
[-]
I get it, but you only need to do that for the odd cases of packages not present in the official repo (not that common at all for me at least).

Also if the software is downloaded in the form of a git repo, you only needed to checkout the new tag and rebuild, don't need your browser at all.

reply
upvoteby mananaysiempre5 hours ago|
parent|
next
[-]
You then get the advantage of the OS’s package manager accounting for everything, however. It’s quite nice to not wonder whether there’s random stateful detritus throughout your system and what it might be affecting. (OK, to be honest there still will be, but much less of it, and a greater part of it will be attributable.)
reply
upvoteby bitmasher96 hours ago|
parent|
prev|
[-]
I think the existence of the AUR puts less pressure on the official repository to have all popular software.
reply
upvoteby saghm5 hours ago|
parent|
[-]
I think it's also a bit of a testing ground for the main repos as well. I maintained the `ruby-build` AUR package for a couple of years after the previous maintainer wanted to step down, but they eventually added it to the main repos and now it's maintained by one of the official people. (I don't recall ever having to do more than paste in the new release tag into the PKGBUILD each time and then generate the new .SRCINFO and checksums in terms of actual maintenance, although I'd test locally first before pushing of course).
reply
upvoteby mqus6 hours ago|
prev|
[-]
This sounds like your update process is quite involved then. Or do you just not do it?
reply
upvoteby anthonj5 hours ago|
parent|
[-]
I only have a couple of things in /opt/ and some manually installed fonts, and vim plugins in my home. Everything else that I don't use often lives in the original cloned git repo in /home/projects and never really gets installed.

Of course the process breaks down for a large amount of packets, but I've never been in that situation. In part because the official repo is already large, and in part because I like minimalism.

If that even became an issue, I would manage a personal set of pkgbuild probably.

reply