Difference between revisions of "Talk:AUR helpers"

From ArchWiki
Jump to: navigation, search
(more useful AUR comparison table proposal.)
m (discussion about secure helper)
Line 54: Line 54:
  
 
Any other useful ideas? Spyhawk
 
Any other useful ideas? Spyhawk
 +
 +
:Removing redundant fields: Yes.
 +
:Usage similar to pacman column: Yes. I'd argue aura is similar to pacman, though. Compared to say, cower or owl, it is.
 +
:Usage column: Yes, this was totally useless.
 +
:This revision is less cluttered, and thus easier to understand. I like it!
 +
 +
::2./ is actually a hard one. It depends on what is your definition of "similar". I'd say that helpers that install with a "-S" command are similar, but this is debatable. I guess this should be debated on the wiki Talk page.
 +
::Another point I'd like to improve is the "manually parsed" column through a more general "secure" column... but how do you define that an helper is secure or not?
 +
::Do you know any other people that would be interested in helping to improve this table? Spyhawk
 +
 +
::: I'd say:
 +
:::helper --install package  # Not similar to pacman.
 +
:::helper -S package  # Obviously the same as pacman.
 +
:::helper -A package  # Similar enough, consider it has `-i` and `-s` too.
 +
:::We could say a helper is secure if it tries to protect you from rogue PKGBUILDs. I saw one (can't remember which) that actually scanned for instances of the word sudo. I think it still sourced the PKGBUILD, but at least it tried. Obviously manually parsing the PKGBUILD (and the .install file?) would be the most secure.
 +
:::As for people to help us... would the yaourt people care? I could see some of the upstarts (spinach, owl?) being cooperative. cower seems to be a powerhouse, so we should talk to them as well. packer has infrequent updates (looking at it's github network) and I don't know if they'd get back to us.
 +
 +
:::: The aur helper that scans the PKGBUILD is spinach, but it does manual parsing anyway. I've also seen that security feature, and implemented a very similar one in pacaur. Packer does source the PKGBUILD before asking for editing, so that's clearly insecure (unless using --preview, but that is not set by default). Pbfetch removes everything after build() before sourcing. I guess that would be considered secure too. I can't tell for yaourt, the code is too cryptic to me. Spyhawk
 +
 +
Here is an improved, but incomplete table:
 +
 +
{{note|'''Secure''' means that the AUR helper tries to protect from malicious PKGBUILD, using manual parsing or other means.}}
 +
 +
{| border="1" cellpadding="4" cellspacing="0"
 +
! Name !! Written in !! Active Project !! Official Repo support !! Syntax similar to pacman !! Shell Tab Completion !! Secure !! Multilingual !! Specificity
 +
|-
 +
! [[aura]]
 +
| Haskell || {{Yes}} || {{Yes}} || {{Yes}} || Bash/zsh || {{Yes}} || {{Yes}}  || Handle Backups, Downgrades
 +
|-
 +
! aurget
 +
| Bash || {{Yes}} || {{No}} || {{Yes}} || Bash || ? || {{No}} || -
 +
|-
 +
! aurora
 +
| Python3 || {{Yes}} || {{No}} || {{No}} || {{No}} || ?  || {{No}} || -
 +
|-
 +
! cower
 +
| C || {{Yes}} || {{No}} || {{No}} || Bash/zsh || {{Yes}} || {{No}} || Minimalist helper without automatic build support.
 +
|-
 +
! owl
 +
| Dash || {{Yes}} || {{Yes}} || {{No}} || Bash || {{Yes}} || {{No}} || -
 +
|-
 +
! [[pacaur]]
 +
| Bash/C || {{Yes}} || {{Yes}} || {{Yes}} || Bash || {{Yes}} || {{No}} || Minimize user interaction.
 +
|-
 +
! packer
 +
| Bash || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{No}} || -
 +
|-
 +
! paktahn
 +
| Lisp || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || ? || {{No}} || -
 +
|-
 +
! pbfetch
 +
| Bash || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{Yes}} || {{No}} || -
 +
|-
 +
! PKGBUILDer
 +
| Python3 || {{Yes}} || {{Yes}} ({{Ic|pb}} command) || {{No}} || {{No}} || ? || {{Yes}} || -
 +
|-
 +
! spinach
 +
| Bash || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{Yes}} || {{No}} || -
 +
|-
 +
! [[yaourt]]
 +
| Bash/C || {{Yes}} || {{Yes}} || {{Yes}} || Bash/zsh/fish || ? || {{Yes}} || Handle Backups, ABS support
 +
|}

Revision as of 08:56, 5 February 2013

Authors of each front end should post a short (2-3 line) description of their creation, along with a homepage link and an AUR link (where applicable). A link to a screenshot page would also be nice (if applicable).

More relevant AUR comparison table

Here is a proposal for a shorter, and more relevant AUR comparison table.

  • Removal of all columns featuring AUR features that are expected from any AUR helper (Handles Deps, AUR search, Handles Upgrades). Those are common to all AUR helper anyway.
  • Added a Yes/No column for "Usage similar to pacman". This is indicative, and I believe the various "see man helper" are useless (a specific column could be added if necessary).
  • Replaced the column "Usage" by a more descriptive "Specificity" column. Use it to highlight specific focus or strength of the helper.

Comparison Table

Name Written in Official Repo support Usage similar to pacman Shell Tab Completion Manually Parses PKGBUILD* Multilingual Active Project Specificity
aura Haskell Yes No Bash/zsh Yes Yes Yes Handle Backups, Downgrades
aurget Bash No Yes Bash No No Yes -
aurora Python3 No No No No No Yes -
cower C No No Bash/zsh Yes No Yes Minimalist helper without automatic build support.
owl Dash Yes No Bash Yes No Yes -
pacaur Bash/C Yes Yes Bash optional No Yes Minimize user interaction.
packer Bash Yes Yes No No No Yes -
paktahn Lisp Yes Yes No No No Yes -
pbfetch Bash Yes Yes No No No Yes -
PKGBUILDer Python3 Yes (pb command) No No No Yes Yes -
spinach Bash Yes No No Yes No Yes -
yaourt Bash/C Yes Yes Bash/zsh/fish No Yes Yes Handle Backups, ABS support
Note: Scripts that do not parse PKGBUILDs manually opt instead to execute them directly for their variables. This is not considered secure, but is generally more accurate than manual parsing.

Any other useful ideas? Spyhawk

Removing redundant fields: Yes.
Usage similar to pacman column: Yes. I'd argue aura is similar to pacman, though. Compared to say, cower or owl, it is.
Usage column: Yes, this was totally useless.
This revision is less cluttered, and thus easier to understand. I like it!
2./ is actually a hard one. It depends on what is your definition of "similar". I'd say that helpers that install with a "-S" command are similar, but this is debatable. I guess this should be debated on the wiki Talk page.
Another point I'd like to improve is the "manually parsed" column through a more general "secure" column... but how do you define that an helper is secure or not?
Do you know any other people that would be interested in helping to improve this table? Spyhawk
I'd say:
helper --install package # Not similar to pacman.
helper -S package # Obviously the same as pacman.
helper -A package # Similar enough, consider it has `-i` and `-s` too.
We could say a helper is secure if it tries to protect you from rogue PKGBUILDs. I saw one (can't remember which) that actually scanned for instances of the word sudo. I think it still sourced the PKGBUILD, but at least it tried. Obviously manually parsing the PKGBUILD (and the .install file?) would be the most secure.
As for people to help us... would the yaourt people care? I could see some of the upstarts (spinach, owl?) being cooperative. cower seems to be a powerhouse, so we should talk to them as well. packer has infrequent updates (looking at it's github network) and I don't know if they'd get back to us.
The aur helper that scans the PKGBUILD is spinach, but it does manual parsing anyway. I've also seen that security feature, and implemented a very similar one in pacaur. Packer does source the PKGBUILD before asking for editing, so that's clearly insecure (unless using --preview, but that is not set by default). Pbfetch removes everything after build() before sourcing. I guess that would be considered secure too. I can't tell for yaourt, the code is too cryptic to me. Spyhawk

Here is an improved, but incomplete table:

Note: Secure means that the AUR helper tries to protect from malicious PKGBUILD, using manual parsing or other means.
Name Written in Active Project Official Repo support Syntax similar to pacman Shell Tab Completion Secure Multilingual Specificity
aura Haskell Yes Yes Yes Bash/zsh Yes Yes Handle Backups, Downgrades
aurget Bash Yes No Yes Bash  ? No -
aurora Python3 Yes No No No  ? No -
cower C Yes No No Bash/zsh Yes No Minimalist helper without automatic build support.
owl Dash Yes Yes No Bash Yes No -
pacaur Bash/C Yes Yes Yes Bash Yes No Minimize user interaction.
packer Bash Yes Yes Yes No No No -
paktahn Lisp Yes Yes Yes No  ? No -
pbfetch Bash Yes Yes Yes No Yes No -
PKGBUILDer Python3 Yes Yes (pb command) No No  ? Yes -
spinach Bash Yes Yes No No Yes No -
yaourt Bash/C Yes Yes Yes Bash/zsh/fish  ? Yes Handle Backups, ABS support