Toggle menu
Toggle preferences menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Arch User Repository: Difference between revisions

From atl.wiki
No edit summary
(Rewrite safety section)
Line 53: Line 53:


=== Safety ===
=== Safety ===
Like we saw just now, you can easily publish your package to the AUR with no checks other than the general SRCINFO file, while the AUR is actively moderated by volunteers, there are still a few malicious packages that are not caught because of which we suggest everyone to read the PKGBUILDs they use from the AUR ensuring that it is a safe one.
As seen, you can publish your package to the AUR with minimal checks beyond the general SRCINFO file. Although the AUR is actively moderated by volunteers, some malicious packages may not be caught. It is advisable for users to read the PKGBUILDs they use from the AUR to ensure their safety.


We do also encourage people to actively go to the AUR mailing list and report malicious package that are not caught under the radar. The AUR has over 60,000 packages and we hope you actively report packages and do your best to keep the AUR clean.
Users are encouraged to report any malicious packages that may have been missed to the AUR mailing list. The AUR hosts over 60,000 packages, and user reports help maintain its security and reliability.<references />
 
<references />
[[Category:Terminology]]
[[Category:Terminology]]

Revision as of 16:08, 8 June 2024

The Arch User Repository (AUR) is a community-driven repository for Arch Linux users. It contains package descriptions (PKGBUILDs) that allow you to compile a package from source with makepkg and then install it via pacman.[1]

The AUR also has its own voting system. All packages are eligible for adoption by a Package Maintainer for inclusion in the extra repository, and the vote count is one of the considerations in that process. Packages that enter the extra repository can be directly installed with pacman.[1]

How does it work?

The Arch User Repository or the AUR, unlike your regular repository, does not host made packages but rather it hosts PKGBUILDs that can be used to make packages, these PKGBUILDs contain metadata at the top and mainly two functions/methods:

  • prepare() : This function prepares your package folder which is the extracted view of a typical package.
  • package() : This function adds basic metadata (optionally verification keys like SHA256 ones) and then generates the package.

The surprising part about the AUR is that most packages do not need to follow this style, the packages can just directly copy configuration and binary files directly to their respective places without requiring to make a package. In fact because of the flexibility of AUR packages, you can make your own package by just using a package converter and cloning some package not made for Arch Linux and just convert the package into an Arch-compatible one. It sure works! You can even package apps by manually editing the files of a package and just use that. Unlike any other packaging format, PKGBUILDs can be installed without root too because they are indeed just scripts. It is however suggested to properly read the PKGBUILDs you get from the AUR for your own safety.

Installation of packages

On this page, we use the officially recommended method, though you can also install packages from the Arch User Repository with AUR helpers. While these tools can simplify the process and save time, they may introduce security risks and potential system instability if not used carefully.

To start, you must be on an Arch Linux system and install the following packages:

  • git : This will be used to clone a package from the AUR.
  • base-devel : This should be probably installed but if it isn't, you must do. This gives us the tools to make PKGBUILDs.

You can search the AUR and choose your package, we will take the visual-studio-code-bin package as an example. You can pick any package you like and just replace the name.

To install, follow these steps:

  • git clone https://aur.archlinux.org/visual-studio-code-bin.git  : This will clone the package from the AUR and will be stored in your current directory.
  • cd visual-studio-code-bin : This will put you into the directory of your cloned package.
  • makepkg -si : makepkg is one of the main utilities to install any AUR package, the -s flag syncs any dependencies of your package (so it won't give you an error if the package dependencies are not installed) and the -i flag will install the package generated if your package is made and has no errors.

And that's it, you can run the program and check it out! You can do this with any program and it will work!

To simplify the process, AUR helpers have been created. While we won't cover them in detail, here's a brief overview: the basic AUR helpers can search and download packages, the more advanced ones can search, build, and install packages, and the most commonly used ones, known as pacman wrappers, can search, build, update, and manage system packages. This means you can update your entire system using these tools. However, pacman is still required as these helpers essentially use pacman to perform their tasks.

Package Naming

All packages have either one of three suffixes:

  • -bin : These packages are what you should install since they are pre-built binary packages and reduce effort in compiling programs by source.
  • -git : These packages are generally not recommended but they are more commonly found, these are compiled from source and they are downloaded via GitHub or GitLab.
  • No Suffix or other suffix : These packages are either proprietary or are compiled from other sources. Generally not recommended unless you know about that package.

You should also look out for 'marked as orphaned' or 'marked as out of date' packages as they are commonly found with packages that have the -git suffix. The binary ones are recommended for every package and are probably the most frequently updated ones.

Creating a package

To create a PKGBUILD for the AUR it is quite simple, you can follow these steps:

  • Make a folder for your package separately and make a file inside that folder just called PKGBUILD (case-sensitive).
  • Inside that file add required metadata[2] and/or optional ones for your PKGBUILD.
  • Then you need to add the functions, these look like bash functions and scripts of similar kind, like we said earlier about the prepare() and package() functions but we do also need some more important functions like pkgver(), build() and check() depending on what kind of package you are trying to make. These functions are more properly explained on the Arch Wiki.[3]
  • And then, just check your package, save it, then run the same command as before makepkg -si to check the package. If it does build and prompts you to install that means it worked! You can also use namcap[4] to check errors in the package.
  • To submit your package to the AUR, create an account on the AUR properly and setup the SSH keys. Please do also make sure that the package you are making is not already made.
  • Once done, just open your terminal and run git clone https://aur.archlinux.org/<your_package_name>.git, you might think it is not made but what you are actually doing here is sending a request to the AUR to create a package and clone it. When the AUR receives a clone request for a package not already made, it just creates a new blank repository, make sure it is created via your AUR SSH key. Also, make sure to add the suffix as mentioned earlier since the packages are actively moderated by volunteers and they may strike your package down.
  • Copy the PKGBUILD you made into this folder you have cloned, go inside that folder and run makepkg --printsrcinfo > .SRCINFO. This will create a required .SRCINFO file that just contains general metadata for AUR such as description and other things. Then, you can just add the two files via git, make a commit with a message like "Initial commit" and then push it. It should work and the package should be visible on the AUR in a few minutes. Please note that the AUR will not permit the package on the AUR repository if it does not find the .SRCINFO file.

If you want to delete, merge, orphan or mark your or any package out of date, you can send a request to the AUR mailing list.

Safety

As seen, you can publish your package to the AUR with minimal checks beyond the general SRCINFO file. Although the AUR is actively moderated by volunteers, some malicious packages may not be caught. It is advisable for users to read the PKGBUILDs they use from the AUR to ensure their safety.

Users are encouraged to report any malicious packages that may have been missed to the AUR mailing list. The AUR hosts over 60,000 packages, and user reports help maintain its security and reliability.