DEV Community

jD91mZM2
jD91mZM2

Posted on

Arch Linux: Stop recommending people to use makepkg for the AUR

This is relevant to Arch Linux and the Arch User Repository. If you don't know what that is, no need to read this article.

Alright, there seems to be around 3 kinds of people:

  1. "Pacman should be like apt"
  2. "You probably want an AUR helper"
  3. "Real men use makepkg"

2/3 of these people know that adding a custom repository to get a program is HORRIBLE security-wise. That's not worth mentioning.
I will instead be focusing on eliminating the 3rd kind, leaving us with the second (which I'm a part of).

Let me tell you a tale of how I got used to the AUR.
Immediately when I started off, I wanted to be the 3rd kind. I wanted to use only the official tools. "Real men don't need no helper" or whatever. I scanned the wiki on my phone (Arch wasn't completely set up yet), and found out how to install packages. I failed to find out how to update them, so I assumed pacman did that for you. I started cloning all packages to ~/Downloads, building them, and deleting them.
That was my first pitfall. Already, I had made a mistake. I needed to keep them updated. Alright, that's simple enough. I re-downloaded all my packages (TIP: pacman -Qm) to ~/AUR. Then I made a bash script to git pull all the things, and building them if there was anything to update (NOTE: I hadn't thought of -git packages).
This is what I used for a while. And it worked, except it required a lot of interaction. I had to copy the URL, cd, git clone, cd, makepkg. I started avoiding the AUR as much as I could. Alright, simple fix: Just make a bash script to download it? No. This is where I stopped. And I'll tell you why in a second.
But first I want to inject that I never checked any other files than the PKGBUILDs. I never read the wiki carefully enough, so I failed to realize that ALL files could contain viruses. If I had used a helper, this risk would have been avoided all together.

I saved my most important point to last. If you make shell scripts around the manual way of doing it, are you really still using the manual way...
...or have you created a helper?

Discussion (13)

Collapse
cirrus profile image
OnFileNotWanted • Edited

i think the general conSENSEus on #archlinux is that, by all means use an AUR helper, BUT familiarise yourself with mkpkg beforehand as the said helper WILL break on pacman updates. Forewarned if forearmed
heres a wee shell script, by default it opens the PKGBUILD in $EDITOR for you to peruse BEFORE installing anything
!taurus
OnFileNotWanted's DEV Profile

Collapse
archy_1337 profile image
Dmitrii

yay

Collapse
coreydrewbruce profile image
corey Bruce • Edited

lmfao what are you even talking about? no one soley uses and downloads pkgbuild files and does makepkg, they use pacman or a AUR helper XD

Where are you getting this totally outdated info from?

Collapse
maxart2501 profile image
Massimo Artizzu

Hello Corey,
please be sure to convey your opinions in a respectful and comprehensive way, even when they're in total disagreement (which, of course, is perfectly fine).
Remember there are newbies that might be confused by confrontational replies.
Let's be excellent to each other. Thanks πŸ€—

Collapse
coreydrewbruce profile image
corey Bruce

I will, I am good at helping new Linux users but what I am confused about is this incoreect information that makes no sense in 2019.

Thread Thread
bdelphin profile image
Baptiste Delphin

Corey, you're completely wrong. A lot of people manually clone AUR repos and use makepkg -si to install them, including myself.
That's even the only way listed on this Arch Wiki page : wiki.archlinux.org/index.php/Arch_...

Back to the subject, I was aware of the potential risk of malicious code hidden in AUR repos, but I'm discovering with your article that a Helper can avoid such risk ! But how can an AUR helper tell if something is malicious or not ?

Thread Thread
coreydrewbruce profile image
corey Bruce

No no one really bothers with it because they just use there package manager or AUR helper, if the code was "malicious" for example there isn't much chance of that happening as even tho anyone can submit they will be viewed and checked, of course you can still manually makepkg if you want but no one does this regulually or even had to anymore thanks to package managers and helpers

Thread Thread
det87 profile image
Det

Never gone to #archlinux, have you?

Thread Thread
coreydrewbruce profile image
corey Bruce

I use Arch Linux with a bunch of others who also do and never in my time using Linux or Arch in general have I ever relied on downloading pkgfiles and building manually as a main way to get packages, if I install a package it's always with my package manager. I've manually downloaded the pkgbuild file and built the package once but I never rely on doing that

Thread Thread
det87 profile image
Det • Edited

Right. And probably none-of-you have gone to #archlinux. :D

I didn't use to cower (now auracle) && makepkg either (I used Arch for good 5+ years), but back then the IRC weenies were against AUR helpers, because noobs would come with their super simple problems that they could've fixed themselves had they learned about the build process.

Thread Thread
coreydrewbruce profile image
corey Bruce

Actually we have also nothing wrong with using a AUR helper even if we already know how to do it manually, why add more steps to do a simple task when a AUR helper to simplify things, it's the same process only automated.

Thread Thread
det87 profile image
Det • Edited

No you're not understanding what I said. I prefer AUR helpers, but as a maintainer I also didn't like it when random user's helper didn't work (or there was some super simple problem with the PKGBUILD), and they would then blindly copy paste those error messages to ping my mailbox each time.

Doesn't matter to users (Arch's overly complex as-is), but kinda does to maintainers and those who wanna help out in the forums, IRC, etc.

Thread Thread
coreydrewbruce profile image
corey Bruce

Yeah I know I'm just saying that AUR helpers are good πŸ˜‹

Yep that's the toxic Arch users but I intend to change that and help users in a positive way instead of saying "read the fucking wiki" and acting arrogant.

Yes Arch is and can be complexed but just like Linux in general it doesn't have to be :)