Comment by jolmg

8 years ago

I've seen the advice of not installing AUR helpers multiple times before. I guess it works for many, but I feel it takes more discipline to review the files when not using AUR helpers since you can just download them and makepkg them immediately, while all AUR helpers I've seen explicitly ask you if you'd like to first review the files in an editor with a default answer of [Y]es.

11 comments

jolmg

Reply
cakes  8 years ago

One of the problem I see with helpers is that a lot of them start to wrap the whole user's package handling experience (pacman wrapping) where it seems like it would be easy to ignore the prompts and "just download the package already". You can tell users the AUR is unsafe and to review PKGBUILDs but that doesn't mean they are going to listen or do it.

I did write a helper, mainly for myself and a few other arch users I know, and if not for having completed it enough to use it, I wouldn't do it again (I don't support pacman wrapping). I use like 5-10 packages from the AUR and I either maintain them or they _never_ change and I would know something is wrong.

The other point to this is how is this sort of compromise best communicated? It's important enough to hit [0] and obviously this news site, the mailinglist[1], but not the frontpage of arch itself.

[0] planet.archlinux.org [1] https://lists.archlinux.org/pipermail/aur-general/2018-July/...

  • Foxboron  8 years ago

    > The other point to this is how is this sort of compromise best communicated? It's important enough to hit [0] and obviously this news site, the mailinglist[1], but not the frontpage of arch itself.

    I brought it up partially, and the simple explanation is; We don't. It's unsupported and compromised packages happens. There is no system in place to warn about it and the frontpage is reserved for news about issues regarding official packages.

craftyguy  8 years ago

> while all AUR helpers I've seen explicitly ask you if you'd like to first review the files in an editor

The good ones do, yes.

> with a default answer of [Y]es.

And therein lies the problem. You may review a handful up front, but then convince yourself that all is good since it's much easier to just press 'enter' and move on. It's MUCH easier to ignore a PKGBUILD when you have to hit one key to skip it than it is if you have to manually download it, put it somewhere, and 'makepkg' on it.