| ▲ | anthonj 5 hours ago |
| I cringed hard when some people started to make pacman wrappers that could install from AUR directly. I've installed stuff from the aur before but most of the times I prefer to skip the middleman and just navigate to the project website. A premade pkgbuild is not convenient enough to take the risk of typoquatting or the tactical npm or pip dependency. |
|
| ▲ | OJFord 4 hours ago | parent | next [-] |
| `yay` (one such wrapper) shows me the PKGBUILD diff on every update. The first time I install something I verify the URL, and check any install script etc. seems sensible; the vast majority of subsequent updates are changes to just version number & checksum. A typosquat attack would be very obvious. (It's a bit vulnerable to it on first install, but so is 'just navigate to the project website [and click download]'.) |
| |
| ▲ | anthonj 4 hours ago | parent [-] | | But it's one middle man less. Git repo have been attacked other times in the past, but a 500/1000 stars project still sounds more trustworthy than a user repository managed by randos with a couple of upvotes.
I still use the aur for simple cases, but when I see aur packages depending on multiple other aur packages I immediately leave. |
|
|
| ▲ | Grombobulous 4 hours ago | parent | prev | next [-] |
| For me, this tradeoff isn’t worth it. I didn’t switch to Linux so that I can waste time going to websites and clicking “download” to update my programs like a Windows user. The pacman wrappers you mention are crazy, though. |
| |
| ▲ | anthonj 4 hours ago | parent [-] | | I get it, but you only need to do that for the odd cases of packages not present in the official repo (not that common at all for me at least). Also if the software is downloaded in the form of a git repo, you only needed to checkout the new tag and rebuild, don't need your browser at all. | | |
| ▲ | mananaysiempre 3 hours ago | parent | next [-] | | You then get the advantage of the OS’s package manager accounting for everything, however. It’s quite nice to not wonder whether there’s random stateful detritus throughout your system and what it might be affecting. (OK, to be honest there still will be, but much less of it, and a greater part of it will be attributable.) | |
| ▲ | bitmasher9 4 hours ago | parent | prev [-] | | I think the existence of the AUR puts less pressure on the official repository to have all popular software. | | |
| ▲ | saghm 3 hours ago | parent [-] | | I think it's also a bit of a testing ground for the main repos as well. I maintained the `ruby-build` AUR package for a couple of years after the previous maintainer wanted to step down, but they eventually added it to the main repos and now it's maintained by one of the official people. (I don't recall ever having to do more than paste in the new release tag into the PKGBUILD each time and then generate the new .SRCINFO and checksums in terms of actual maintenance, although I'd test locally first before pushing of course). |
|
|
|
|
| ▲ | pixelpoet 4 hours ago | parent | prev | next [-] |
| > typoquatting Perfect demonstration! |
|
| ▲ | mqus 4 hours ago | parent | prev [-] |
| This sounds like your update process is quite involved then. Or do you just not do it? |
| |
| ▲ | anthonj 3 hours ago | parent [-] | | I only have a couple of things in /opt/ and some manually installed fonts, and vim plugins in my home.
Everything else that I don't use often lives in the original cloned git repo in /home/projects and never really gets installed. Of course the process breaks down for a large amount of packets, but I've never been in that situation.
In part because the official repo is already large, and in part because I like minimalism. If that even became an issue, I would manage a personal set of pkgbuild probably. |
|
