Комментарии:
the only problem i have ever had on the aur is an application that hasnt been updated in a long time and just doesnt do anything. nothing has ever broken my system
Ответитьthe AUR is 100% safe, no problem what so ever, just as safe as android's store :D ..... I use Arch BTW
ОтветитьThank you for this vid Brodie, starting to test Manjaro and saw a few things missing. Now I know a little more about what to watch out for
ОтветитьYes, I like this video! 👍 Thanks!
ОтветитьPersonally, I have no idea why I watched this video. I mean I basically do the same thing with npm packages, so I guess I agree with you magic arch man.
ОтветитьI see many people stating that they barely use the AUR and I simply don't trust them. There's basically no benefit to Arch when we discard the AUR. There are plenty of up-to-date distros like Fedora that would get the job done better than AUR-less Arch
ОтветитьI use AUR as a Manjaro (GASP!!!) Unstable user.
I'm watching this, 'cause it was in my feed :P
I have no idea why I am watching this video - subscribed.
ОтветитьAs someone who avoids using the AUR unless absolutely necessary, I think you may be overestimating how many arch users bother with the AUR and especially how many chose arch because of it.
ОтветитьSweet, so to slip a keylogger into the AUR, I need to make sure the download URL, developer name, and install script check out. I'll assume nobody will bother to read the source if it's ugly enough.
Not that this isn't good advice - it's just a shame that I can't use my expensive sliver of magical melted sand to comprehend and manage what the package can or can't do. Like, we need a lavamoat for system packages.
just use nixpkgs bro
ОтветитьI have a few aur packages and I host the code on my own server. I have no idea if anybody has actually read the code to see if it's actually not malware.
ОтветитьDo You Wanna my Sincere Opinion? Arch Linux Sucks..its just a "Linux Mint Slackware For Hipsters",this distro is for Masochists thats wanna be cool,but never will be cool....The Real World Linux distros are 100% muche Better....
ОтветитьEyy you are
ОтветитьGreat tutorial on how to critically think about what you are installing.
Ответитьheres how i keep myself safe when using the AUR. 1. Clone the AUR repo. 2. edit and modify PKGBUILD and get rid of libsystemd,systemd dependencies, 3. then install with makepkg -si. Systemd for most if not all of the packages are just garbage and basically unnecessary for package functionality.
ОтветитьGood basic instructional video Brodie. IMO, too much AUR will eventually break something on a newby setup. Always best to stick to the pacman repo as much as possible. When not possible, the AUR kicks butt and makes life quick and easy.
ОтветитьWhat kind of tea do u drink bro? im sipping on some chocolate mint right now but in the mornings i do love me some earl grey or english breakfast :)
ОтветитьNow i want to learn the same about flatpaks and snaps.
ОтветитьWhat is your paru config? The review screen with the file tree looks pretty cool
ОтветитьNow WHAT I DO WITH 1000s of PACAGES i installed from aur with out looking at anything.... :(
ОтветитьWell I am an AUR helper user... Even on my arch homeserver I now use an AUR helper.
Just doing the updates and making sure the zfs scripts like sanoid stays up to date is reason enough for me.
So my tactic on the AUR and the mess you can get, is that I try to use it as sparingly as possible... But the ZFS snapshots stuff just became super needed to avoid data paranoia so...
so for every package you want to install from the aur, you should audit the package build script? sounds like a bit of a hassle.
is there any kind of reputation or rating system for aur package authors? or is that too easy to game with bots?
Not to heavily actually, most of the packages are actually from the main repo or chaotic-aur
Ответитьi want to see cli tools for installing aur pkgs doing more of these checks automatically. because when you really work it out, a lot of the stuff you are manually checking here in this video... it could be given output to flag and inform the user. kindda like a linting process. for example if the src repo url is not an identified domain or self hosted that could print out a notification line in a shade of yellow. to prompt the user to manually check. or if the github repo is a fork. or if the github username does not match the aur username. then how many comments. and can automatically score those aur comments with sentiment analysis tool. and the upvotes. and then if flagged for deletion that could be printed in red color. all so many of these checks can and should be automated. with verbosity levels as to how much details to print. and user settings to decide how paranoid you want to be.
another feedback on cli can be to tell the user if the package maintainer is not using or has not enabled 2fa. since this is also another good extra security measure. to stop insecure aur accounts from getting hijacked. the same thing should in fact also extend to the repo accounts of the src on github or gitlab. we need reporting that those upstream accounts where we are actually fetching the software from... the end user must also be told whether those developer accounts are being secured properly by 2fa. so that (again) the person downloading can decide and the ability to choose what their own local security policy is they want to follow. this is especially important for open repos like aur. were anybody out there can submit software and packages
I am a fedora user, and I feel it's kind of, unnecessary? But hey good luck
ОтветитьI like using pamac as my AUR helper because I like how it DDoSes the AUR.
Ответитьreview launches lf? do share this.
ОтветитьWhen you install on paru you don't need the -S
ОтветитьI like to listen to the high-pitched voice of this boy 😅😅😅
ОтветитьI dont know what should i choose? An binary AUR packages ungoogled chromium i.e ungoogled-chromium-bin OR a repo from Opensuse special for Arch Linux. Github page from both sources are the same.
ОтветитьBack when I was using Debian, I wrote a utility in bash to look for packages using fzf (script <part of package name> ==> fzf to find the right package ==> install)
Nowadays I use a package called parui that works almost the same way (no fzf ☹️) and it's pretty great
It is dependent on paru afaik so keep that in mind
I unfortunately live in an area where we’re not taught about safety devices and safe “browsing”. My parents were uneducated about modern safe browsing methods and so I had to explore the aur for myself and make my own mistakes and deal with infections I was unprepared for.
Thanks for posting this Brodie I couldn’t resist the euphemisms.
/s
I recently spent some time learning how to use steamtinkerlaunch & ended up needing to use the AUR to install it bc all the other options were WAY too involved for me, & I wondered about this kind of thing at the time! These are great tips; I think they'll be easy to remember and probably make me feel a little bit less like I could be playing with forces I don't understand, lol.
ОтветитьIf installing random software is wrong, watching random YT videos (like this one) must be wrong too. 🤔
I need to rethink my entire internet usage.
The thing I don't like about aur is that some people put there their work and you are unable to install it because it asks for password. Why is it then there?
Ответитьgithub cody_learner aurch
Ответитьvirgin check install script vs chad test build installer
ОтветитьNo thanks, i prefer [testing] [chaotic-aur].
ОтветитьI would love to see the same mentality toward vim plugins. It seems like a lot of people got the memo on AUR packages, but not yet for vim plugins. Nobody reads the diffs :)
Ответить