AUR which is also known as the Arch User Repository is a community-driven repository of PKGBUILDs, anyone can upload a package to the AUR (we will talk about how to do that in this article) and anyone can take down a package too from the AUR which just a simple letter to the mailing list (which stats say that at least 2-3 people are always active trying to look out for malicious PKGBUILD files). Basically, all the PKGBUILD is, it's a way to create an Arch Package, typically having an extension of .pkg.tar.zst
(pkg meaning package, tar being a way to merge multiple files/folders into one, zst being a way to compress the file). Such a package with that extension can be installed via the command sudo pacman -U <file>.pkg.tar.zst
. However, we would not be going in detail about that.
AUR is also very much known to have broken packages (as later said in this article, you can easily add a package to AUR with 0 pushbacks 90% of the time), however if you read the PKGBUILDs (with an AUR helper that gives you the option to do so) then you can easily figure out if it will install or not. In a simple context, the average PKGBUILD will have two functions, it will be structured and functioned just like a regular bash script with metadata at top and two functions below, first function is the prepare()
function and the other is package()
function, to be short : the prepare function creates a directory for the package it is supposed to make and then adds all binaries, config files into how pacman will understand, the package function will just add final scripts, make the package (via makepkg
) and then install it through pacman, however this is not always the case since all PKGBUILDs are just like regular bash scripts, you can just have a prepare function to check the files downloaded through source and the package function just putting the files in user directories, this way you won't need root permissions at all. We will see that in detail.[1]
Significance
AUR being one of the biggest package sources in the Linux community, it has over 60,000 packages and active volunteers to quality check the unfiltered packages. AUR packages are very creative in their own regard also, from people using package converters to convert any deb or rpm package to an arch-compatible package to people using windows electron programs and modifying it to work on Linux, it is no surprise that you can find almost any package possible on the AUR.
Safety
With the great power of the AUR, you will be surprised by how secure it is, most people say it is very unsafe, however if you get the habit of reading the PKGBUILD files before installing them, you will never run into issues, but this is not even that severe of a security flaw due to how many people are always checking new packages submitted.
The main issue starts with a famous term "dependency hell" which to be short means "installing separate packages that require a certain dependency of a specific version but they both have separate version requirements so you end up with a broken installation". Yeah, it sounds very complicated, because it is. Basically, if you have any 2 separate packages, one could be from your extra or core repositories (check the pacman page to learn about default repositories) and the other one could be from the AUR, well if the package maintainer of the AUR package and the package from the extra's repository, let's say depends on ffmpeg
and it requires a very old version, well since the packages on the extra's repository are always kept up-to-date as soon as possible, you might end up having a "dependency hell" where pacman wants to use a newer version for the package in extra repository but the AUR package requires an older version and then you end up with a corrupted package and if the package is an important package for the system, you will end up with a full corrupted install.
Naming Scheme
This is a very strictly enforced naming scheme in the AUR and it is basically adding a suffix that determines the package type.. The main ones are:
-git
: which means that the package will clone and build manually through a git repository. (Most likely GitHub or GitLab repository)-bin
: which means that the package will just fetch a pre-compiled binary and install the configuration files. (RECOMMENDED)- No Suffix : which means that the package is either proprietary or it is compiling or source-based package. Just see the PKGBUILD for this one.
Now, ideally you would pick the -bin
package or a proprietary package with no suffix meaning that it will just use binary anyways (because you cannot manually compile programs without source code), this is because it is much faster to use a pre-compiled binary as opposed to letting it manually clone, build and install.
Installing AUR packages
This might be a little complicated for those who aren't familiar with the way Arch Linux packages work but it is quite easy to grab.
Basically, if you used archinstall
for your system, you probably have this package called base-devel
, it means base development and this is what allows us to install packages from the AUR repository, you must have git
installed too since we need to clone packages. If you installed Arch Linux the manual way you have probably pacstrapped it because it is recommended in the ArchWiki, if you haven't then please install base-devel
through pacman.
To summarize, installing any package from AUR is basically getting a PKGBUILD that tells the system to create a package and install, it is kind of weird but essentially an AUR package is instructions to make an Arch Linux package. We will try to install the waterfox-bin
package because it is not available in the extra or core repository. (To understand the -bin
suffix, please check the naming scheme above).
To install waterfox-bin
via the AUR, you have to install git
and base-devel
via pacman as said earlier. Then you will use git clone https://aur.archlinux.org/waterfox-bin.git
, that will clone the PKGBUILD for Waterfox and put it in your current directory. Use cd waterfox-bin
to go inside that directory and then run makepkg -si
which will use makepkg
to make the package and ask to install it. What we are doing here is using a single file to build an Arch Linux package for us and install that. This will successfully install the package. Yeah, it was that easy, to make it more easy however, we have AUR Helpers.
AUR Helpers
(WORK IN PROGRESS)