Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
fsmv 8 hours ago

I don't understand, yay updates itself. I've never once had this problem.

Levitating 7 hours ago | parent | next [-]

That's assuming you do system upgrades through paru/yay. However, you may not want to upgrade the packages you've obtained from the AUR and so you upgrade using pacman. That may cause the updated libalpm to become incompatible with the installed yay/paru.

nicce 6 hours ago | parent [-]

yay used to be in the official Arch Linux repository for some time, wonder why it was removed.

morserer 6 hours ago | parent | next [-]

Iirc it was to force the extra step necessary for the user to acknowledge that the AUR can bootstrap malware if used blindly.

This seems to be a relatively consistent discussion surrounding AUR helper development; for example, adding UX to incentivise users to read PKGBUILDs, lest the AUR becomes an attractive vector for skids.

No one wants the AUR to become NPM, and the thing that will incentivise that is uneducated users. Having the small barrier of not having helpers in the main repos is an effective way of accomplishing that.

Levitating 5 hours ago | parent | prev [-]

https://wiki.archlinux.org/title/AUR_helpers

AUR helpers like yay are not supported officially. The other commenter sheds some light as to why.

pamcake 4 hours ago | parent | prev [-]

Assume they mean having to recompile the AUR package they were trying to install using yay.

If users mental model is mostly "yay is like pacman but can also install packages from AUR the same way" wihout thinking deeper about the difference then I think it using it is very risky and that you should just stick to pacman + git/makepkg. Only consider helpers once that's become second nature and routine. Telling people to "just yay install" is doing them a disservice. An upgrade breaking the system isn't even that bad compared to getting infected with malware due to an old package you were using being orphaned and hijacked to spread malware or getting a bad copycat version due to a typo.

I think EndeavourOS is doing users a disservice if they provide sth like yay preinstalled and ready to use out of the box. It isn't installing packages from a shared repo: It's downloading code from arbitrary locations and running it on your machine in order to produce a package. Being able to read and understand shell script (PKGBUILD) is kind of a prerequisite to using it safely.