Talk:AUR helpers

From ArchWiki
Jump to navigation Jump to search

Updating Aura's Entry

Hi there, Aura 3.0 was recently released, and its entry here can be updated.

File Review: "Yes"

- Proof: https://github.com/fosskers/aura/pull/597

Specificity: "batch interaction 1/2, PKGBUILD security analysis"

- Proof: https://github.com/fosskers/aura/pull/600

Although the security scanning has been available during builds since Aura 2.x, `-P` allows people to do it more manually. The batch interaction has been true since the 2.x series.

Please and thanks!

Fosskers (talk) 17:35, 21 May 2020 (UTC)

As the description of "File review" mentions, it is only when enabled by default. See also [1]. As to the "pkgbuild security analysis", I find that description misleading at best since the only reliable security analysis is one by the user, which is already by mandated for every user using the AUR. -- Alad (talk) 06:04, 24 June 2020 (UTC)
From the test file it seems that the "security analysis" can only detect PKGBUILDs with simple phrases like "curl", "evilscript", "badguy" or "malware"... -- Lahwaacz (talk) 06:50, 24 June 2020 (UTC)
I agree, and furthermore believe advertising "security analysis" of PKGBUILDs is essentially leaving land mines for users. It gives the deeply wrong impression that it's okay to trust a PKGBUILD just because some heuristic didn't detect the word "curl" in it. Under no circumstances should we permit such advertising to be done on websites we control.
It also emits a large number of false positives for the word "bash" -- grep through the official repos for PKGBUILDs which run "bash configure --options" or "sh foo.run" or similar to run scripts which are not executable because they were downloaded directly (makeself.sh self-extracting archives for example), or which have a /bin/sh shebang but explicitly need bash. The results of this code search are enlightening. I also managed to trivially evade the entire check in two different ways, one of which was by accident using some common glue code intended to print better traces for running commands, and a third variant produced threatening red errors when aura didn't like a valid function name and claimed the PKGBUILD was "too complex to parse". It warns when you use rsync, even though rsync is a very capable local directory transfer program with exclude pattern support (and is used as such in one repo package), a valid use case irrespective of its ssh support.
Real malware most likely doesn't download with curl | sh, it just forges the source url and runs a bundled Makefile, with zero chance to heuristically parse and detect it based on an extremely primitive keyword grep of the PKGBUILD file. Incompetent PKGBUILDs have a million ways to break, which are usually found in the install scripts. -- Eschwartz (talk) 03:43, 25 June 2020 (UTC)
Seems like a clear case, closing. For batch interaction, I proposed a new wording below in #Move batch interaction to (note in) pacman wrapper section (which includes auraAUR.) -- Alad (talk) 22:16, 27 June 2020 (UTC)
Updated. [2] -- Blackteahamburger (talk) 15:53, 21 June 2020 (UTC)

Move batch interaction to (note in) pacman wrapper section

As the title says. This is only relevant to pacman wrappers, thus I would replace the paragraph in #AUR helpers#Legend with a Note in AUR helpers#Pacman wrappers as follows:

Note: The following pacman wrappers support querying the user for package conflicts and package providers before the build process:

I deliberately left out the "combined package summary" since it can only be achieved with pacman -Sy. -- Alad (talk) 22:10, 27 June 2020 (UTC)

Remove old entries

The following helpers have been unmaintained for at least 2 years. I propose to remove them:

  • pkgbuildup (already removed, github repository was archived by the author)
  • aurel (discontinued since 2015)
  • spinach (discontinued since 2017)
  • aurman (discontinued since 2018)

The following have also been inactive for at least 2 years, but with no explicit "discontinued" notice:

  • yaah (inactive since 2018)
  • repofish (inactive since 2018)
  • argon (inactive since 2018)
  • pkgbrowser (inactive since 2013)
  • pkgbuild-watch (inactive since 2012)
  • aur-talk (inactive since 2018)

For latter I suggest to at least remove pkgbrowser and pkgbuild-watch, as they are increasingly unlikely to work (if they still do in the first place). -- Alad (talk) 22:28, 27 June 2020 (UTC)

We can remove stuff that was archived/discontinued. As for inactive stuff like pkgbrowser, we probably should not remove it if it still works. I can confirm pkgbrowser works. Not sure why it would stop working in the future, unless there some changes coming to AUR RPC that will break those. -- Svito (talk) 08:37, 1 July 2020 (UTC)
Fair enough, removed the discontinued entries with [3]. Thanks, closing -- Alad (talk) 11:53, 1 July 2020 (UTC)