Difference between revisions of "Talk:AUR helpers"

From ArchWiki
Jump to: navigation, search
(`Reliable solver` discussion)
(Expand Secure criteria to include other (non-PKGBUILD) bundled files: re)
 
(432 intermediate revisions by 18 users not shown)
Line 2: Line 2:
 
}}
 
}}
  
== Comparison table - build directory ==
+
== "Reference" implementation ==
  
Considering /tmp is mounted as tmpfs on Arch, and the potential downsides from building in RAM (running out of space), I think a column with the default build location for various helpers would be helpful.  
+
This is an alternative to [[#Reliable_Updater]]. Instead of an arbitrary set of test packages, we could write up a "specification" on what a reliable AUR helper should do. This should also be more helpful for potential AUR helper writers who otherwise have to wade through complex, fully-featured AUR helpers.
  
The default values I've garnered so far, assuming TMPDIR is not set:
+
I propose a minimal reference implementation with the following points:
  
* aurutils: $XDG_CACHE_HOME
+
* No client-side workarounds for upstream limitations. In particular, a reference implementation does not need to score full points on split packages, as {{ic|makepkg --pkg}} was removed with pacman 5.
* pacaur: $XDG_CACHE_HOME (changed from /tmp, see [https://github.com/rmarquis/pacaur/commit/c5d750f75f040b21249fff100a2c8875348d03d1])
+
* Minimal language constructs in e.g. a scripting language like {{Pkg|dash}}.
* bauerbill: $PWD/build
+
* Prefer simplicity of implementation over being fully featured. In particular, an implementation may only support git clone and not git diff.
* pkgbuilder: $PWD, /tmp when specified with -S
 
* packer: /tmp (TMPDIR)
 
* yaourt: /tmp (yaourtrc)
 
  
-- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:16, 1 April 2016 (UTC)
+
My initial plan was to keep such an implementation in a man page {{ic|aurhelper(7)}} (hosted as part of aurutils), but we can consider including on a sub-page of this article. It could be then linked from the comparison table. Thoughts? -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 13:28, 8 March 2018 (UTC)
  
: Yes, this could be useful. Although you'd want not to use color here, since users that know what they're doing would prefer to use /tmp (or setting up BUILDDIR to /tmp). --[[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 11:15, 3 April 2016 (UTC)
+
: Generally agree with the idea, but I don't think there is a way around a set of PKGBUILDs that could be used to test helpers in a local AUR instance. F.e., I wouldn't define a "reliable" helper that doesn't handle split packages well. Since helpers are tolerated rather than supported, upstream limitations of the AUR might be temporary or permanent, meaning the limitation would actually be in the helper itself (f.e. like regex support). Also, I'd use pseudo code for such a reference as the actual implementation itself doesn't matter, unless you'd like to write a new minimalist helper. [[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 15:26, 8 March 2018 (UTC)
  
:: +1. see also [[#Multi-thread support]]. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 11:33, 3 April 2016 (UTC)
+
::Apart from {{Bug|56602}}, I can't think of a case where upstream ''opposed'' removing limitations, even if helpers directly benefited. cf. the regex support discussed in [https://lists.archlinux.org/pipermail/aur-dev/2016-May/004036.html] or the exit codes finally introduced in makepkg 5.1 which made automatic building significantly easier imo. To me it seems that the main reason we have these AUR limations is due to the minimal interest of helper writers in contributing upstream, and upstream itself having different priorities. Not sure why former is the case, the PHP codebase may play part in it - at least it does for me.
::: Well, while it does have benefits for some users, it's still a bad default. As you say though, this is easy enough to change either way, unlike any of the behaviour described in the other columns.
+
::You can keep ''dash'' close enough to pseudo-code, I guess less so if you want a complete example rather than exemplary code blocks. For the PKGBUILD set, I use this: [https://github.com/AladW/aurutils-test/blob/master/package.t#L11-L31] -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:34, 8 March 2018 (UTC)
::: We could leave out the colors, but mention the drawbacks/benefits in the "meanings" paragraph. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 13:35, 4 April 2016 (UTC)
 
  
:::: It is bad default because some users have no idea about what they are doing, but this is strictly related to user preferences. Adding the meaning instead of colors sounds like the perfect solution to me. --[[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 14:35, 4 April 2016 (UTC).
+
::: My understanding is that changes that aren't invasive will be accepted upstream, but otherwise might be rejected (see [https://lists.archlinux.org/pipermail/aur-dev/2018-January/004421.html]). One prominent example that comes to mind is {{Bug|48796}}. It's not really relevant anymore since x86 has been officially dropped, but the solution would involve duplicating DB tables on the server, which isn't trivial to implement/migrate. Many of the feature requests involve non-trivial code change, which is the main reason nobody pushed patches; I dislike PHP but the language itself isn't too hard either. For regex, see the bottom of [https://lists.archlinux.org/pipermail/aur-dev/2016-May/004044.html], which is the follow-up of your link above.
 +
::: Your testsuite seems interesting (thanks for the link), but one advantage of having a fixed set of packages is that these packages might be updated and change, making these edge cases difficult to test. This happened quite a few times with my own list of test packages in the past and this was rather annoying. [[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 20:20, 8 March 2018 (UTC)
  
== Multi-thread support ==
+
== Add pacui to the table? ==
  
This also made me wonder if tools differentiate regarding multi-thread support (seems related, e.g. cower has a defaulted option for it). --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 11:33, 3 April 2016 (UTC)
+
[https://github.com/excalibur1234/pacui] {{AUR|pacui}} is kind of an aur-helper-helper. It wraps AUR helpers to provide a nice tui and also adds some of its own features. I don't really use it my self so I can't comment on how it would fit in the table/what results it would get. Just wondering if it fits here. [[User:Morganamilo|Morganamilo]] ([[User talk:Morganamilo|talk]]) 07:27, 11 June 2018 (UTC)
  
: AFAIK, besides cower, packer [http://kmkeen.com/multithreaded-bash/] and bauerbill ({{ic|download.sh}} amongst others) have multiple threads. aurutils also uses aria2c for downloads, if that counts.
+
:Seems to be aimed at Manjaro going by the amount of partial upgrade it runs (e.g. [https://github.com/excalibur1234/pacui/blob/master/pacui#L1251]) and weird stuff like "update systemd first". Former alone makes it unsuitable for inclusion in the wiki.
: The benefits of multiple threads are however not always clear:
+
:There's some other of these GUIs around that might fit though, like {{AUR|argon}}. Not sure where to put them; a separate section perhaps? They don't really have unique functionality of their own besides a modified user interface. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 09:50, 11 June 2018 (UTC)
:: * by my understanding, cower uses multiple threads, but with one query per package [https://github.com/falconindy/cower/blob/master/cower.c#L667] (compare against multiinfo).
 
:: * More generally, tasks (like dependency solving) can be sped up by using different methods which need to be called less often
 
:: * Building packages would almost always be done sequentially: dependencies have to be installed (resulting in pacman locks), and there's {{ic|-j}} in {{ic|makepkg.conf}} anyway.
 
: Regardless, there are some large differences in AUR helper speed (with bauerbill being ahead of the rest). But I'm not sure how to quantify this in the table ... -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 12:31, 3 April 2016 (UTC)
 
  
:: Multi-thread support doesn't necessarily mean the helper is better. In cower case, multi-thread support was implemented before multiinfo was available in the RPC interface, and as of today using multiinfo is less complex and faster than using multiple info threads. Since it is difficult to implement multiinfo support without an important rewrite, cower multithreading is more a drawback than an advantage.
+
::A new section like [[Pacman tips#Graphical front-ends]] could work. Probably wont be too useful if argon ends up being the only one that's suitable for inclusion. [[User:Morganamilo|Morganamilo]] ([[User talk:Morganamilo|talk]]) 12:37, 11 June 2018 (UTC)
:: As for speed, it's indeed very hard to quantify in a meaningful manner. For example, pacaur dependency solver is slower than bauerbill's solver, but on the other hand it is designed to compute more stuff than other helpers up front in order to avoid bothering the user once the install process is started. --[[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 13:42, 3 April 2016 (UTC)
 
  
::: Interesting. Actually, I did not want to induce a "speed" column, rather the opposite. As you both say, always very difficult to choose a fairly universal/comparable benchmark, so "speed" as such is better be left out of comparison (as a column). If one wants to mention it, it might be useful to have a general remark at the top of the table, or somewhere else in the article, quoting some of the influencing factors you name; perhaps linking to (re -j) [[Makepkg#MAKEFLAGS]] and (re Skyhawk's remark above) [[Makepkg#Improving compile times]]. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 14:01, 3 April 2016 (UTC)
+
== <s>Native pacman criteria and IO manipulation</s> ==
  
== <s>Unmaintained Aur Helpers</s> ==
+
Superseded by [[#Native pacman revisited]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 17:28, 14 July 2018 (UTC)
  
It seems my edit to adding the info about Pacaur being unmaintained was reverted. Are we not allowed to mark aur helpers as unmaintained? What is the proper way to go about letting users know that things like Pacaur are now unmaintained upstream?[https://github.com/rmarquis/pacaur] {{unsigned|19:33, 18 December 2017‎|Ase1590}}
+
=== <s>Proposal summary</s> ===
  
:Unmaintained helpers are not a big deal since helpers should only be used by people who can solve their own problems (as indicated by the warning at the top of the article). However, if you can demonstrate that a helper ''actually stops working'' in a general sense, with no community interest to fix it, you can remove them from the article. (and file a request on AUR as well) -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:43, 18 December 2017 (UTC)
+
: do not separate commands ''or their actions''
 +
: do not suppress or force pacman behavior by using anything besides native pacman flags, e. g. by altering stdin, stdout
 +
or (proposed in issue #201)
 +
: do not modify the pacman prompt
  
::I would argue that an [unmaintained] tag would be helpful for quickly finding an AUR helper instead of having to futz around on github pages to see that it has not be updated in X amount of months/years and that it has been abandoned. I agree that if an aur helper ''actually'' broke due to some update, that it would be a candidate for removal from the AUR helper page. The whole point of wiki info is for at-glance quick info, otherwise, it'd be documentation and not a wiki. [[User:Ase1590|Ase1590]] ([[User talk:Ase1590|talk]]) 18:59, 18 December 2017 (UTC)
+
Latter might be overly broad as it includes --noconfirm, but it might make sense when adding "by default". Note: --ask "modifies" the prompt in the sense that it reverses it. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 09:00, 15 June 2018 (UTC)
  
:::That brings other issues. First, you'd have to make a reasonable definition of "unmaintained". Should it be an official statement from the maintainer where he distances himself from the project? Should it be some fixed interval between commits? Should it be how upstream cares for outstanding issues? If you include the last two criteria, 90% of the AUR helpers on this page classifies as "unmaintained" and the value of the tag is lost.
+
== Expand Secure criteria to include other (non-PKGBUILD) bundled files ==
:::Second, the "unmaintained" information would have to be continually checked to keep the page factual, which for 23 helpers in [[AUR helpers#Build and search]] alone is hardly reasonable. Especially when you as the user already has a nice table at the bottom, which narrows down your choice to 3-4 projects (entries with all the green) already. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:14, 18 December 2017 (UTC)
 
  
::::I think we can use your first definition of unmaintained as the formal definition for this page. The developer of Pacaur has made an official statement where he is distancing himself. As for the second point, the "continually checked" argument does not make sense for a wiki, as users are free to edit and update information whenever. All wiki pages can be subject to information rot, just look at some of the less common non-english pages in the arch wiki, which have in one instance in IRC displayed information about configuring arch prior to Systemd integration. Wikis stay up to date so long as other users contribute. [[User:Ase1590|Ase1590]] ([[User talk:Ase1590|talk]]) 19:29, 18 December 2017 (UTC)
+
[https://github.com/Jguer/yay/issues/493], in particular [https://github.com/Jguer/yay/issues/493#issuecomment-402522467]
  
:::::It still makes no sense to me as it punishes projects for maintainers declaring them as unmaintained. Other projects could make no such announcement and be left in a far worse state, yet as they would not be marked as "unmaintained", would be prioritized in their consideration. (which again, is not deserved) -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:32, 18 December 2017 (UTC)
+
The new criteria would be as follows:
 +
* PKGBUILD, no other files -> Partial
 +
* Other subset of files that includes the PKGBUILD -> Partial
 +
* No PKGBUILD -> No
 +
* All files in the git repo or tar archive -> Yes
  
:::::: I suppose we could add a softer toned tag such as [project maintainer needed] that way this instead encourages people to pick it up upstream when reading. Formally abandoned packages are going to lose support over time anyway from social media like reddit and those subscribed to the project via things like github, and it can't be helped (especially if the package outright becomes broken/incompatible). [[User:Ase1590|Ase1590]] ([[User talk:Ase1590|talk]]) 19:41, 18 December 2017 (UTC)
+
Similar to the ''Diff view'' column. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 16:32, 4 July 2018 (UTC)
  
::::::: That's a notion I can support. I'm not sure on the best format to add such a tag to the page. It seems out of place in the "Specificity" column of the comparison table (since it's not a feature of the project); on the other hand, it's more in plain view there and e.g. aura already mentions an aspect not strictly feature-related (the need for ArchHaskell). -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:51, 18 December 2017 (UTC)
+
: good idea, you also mentioned this for aurman a few months ago, see: https://github.com/polygamma/aurman/issues/25#issuecomment-371971155 really a good idea to implement it in a way, so that changes of all known files are being shown [[User:Polygamma|Polygamma]] ([[User talk:Polygamma|talk]]) 17:07, 4 July 2018 (UTC)
  
:::::::: How about [https://wiki.archlinux.org/index.php?title=AUR_helpers&diff=503126&oldid=503125] -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:57, 18 December 2017 (UTC)
+
: "All files in the git repo or tar archive -> Yes" What exactly do you mean by all files? Build files often contain non text files such as images. Git diff is smart enough to hide these but then you could consider that partial because not all files are covered.
 +
: In my opinion all a helper has to do to be secure it pause and allow the user to read the build files. The helper does not even need to offer to open them for you that's the user's responsibility. Anything more than that is nice to have but not strictly needed. [[User:Morganamilo|Morganamilo]] ([[User talk:Morganamilo|talk]]) 20:25, 4 July 2018 (UTC)
  
::::::::: I like this, though it might look more pleasing if it were moved under the Build and Search heading at the end of the pacaur description, though that ''could'' just be my OCD just kicking in. [[User:Ase1590|Ase1590]] ([[User talk:Ase1590|talk]]) 20:06, 18 December 2017 (UTC)
+
:: If this qualifies as "nice to have", there has to be an explicit warning that a green entry in the "Secure" column does not cover other files, files which may cause more harm than the PKGBUILD itself (such as {{ic|.install}} files or exectuables called from the PKGBUILD). In either case it's misleading, since you either give the impression that viewing PKGBUILDs alone is sufficient (with the current criteria), or include a warning that diminguishes the value of the criteria in the first place.
 +
:: Latter is similar to "Native pacman", in that you have a warning at the article top warning against any sort of pacman wrapping, and criteria in the table that ignore this warning, or even reward behavior which goes against it. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 17:07, 8 July 2018 (UTC)
  
:::::::::: Feel free to make the change. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 20:13, 18 December 2017 (UTC)
+
::: That's a fair point, what about changing the name to "show files before sourcing" or something? Seems more accurate. Then it would make sense that not showing .install files to be partial. The only problem I see that it's not as hard hitting as "secure". [[User:Morganamilo|Morganamilo]] ([[User talk:Morganamilo|talk]]) 20:11, 8 July 2018 (UTC)
  
::::::::::: After thinking about it, I think yours is best. Most attention will be focused on the table as you said earlier, so if the aim is to attract new contributers to a project then it makes most sense for it to be in the highest visibility area, which in this case is the comparison table -- 21:19, 18 December 2017‎ Ase1590
+
:::: It cuts both ways: it's an effective deterrent against broken helpers, but it also gives the impression that using a "Secure" helper makes usage of the AUR safe, which it definitely doesn't. I'm not sure on what different name to use, though. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 17:25, 14 July 2018 (UTC)
  
== Reliable solver  ==
+
::::: I guess "File view" could work. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 17:44, 14 July 2018 (UTC)
  
https://aur.archlinux.org/packages/plasma-git-meta/ have some missing dependencies:
+
== Native pacman revisited ==
  discover-git
 
  oxygen-git
 
  
Which other package can I use to test the criteria of being a reliable solver?
+
As a follow-up to [[#Expand_Secure_criteria_to_include_other_.28non-PKGBUILD.29_bundled_files]], the way "Native pacman" is used is misleading, since it depicts wrapping {{ic|pacman}} as a generally positive thing. This contradicts the warning bundled with the criteria, as well that using the same syntax for official and user-submitted packages blurs the lines between packages that are supported, and packages that might arbitrary broken things; latter requiring careful attention before installation.
[[User:Actionless|Actionless]] ([[User talk:Actionless|talk]]) 19:24, 5 February 2018 (UTC)
 
  
:Try plasma-desktop-git or ros-indigo-desktop. I tried testing it myself but couldn't since pkaur failed immediately with a python traceback. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 10:05, 5 February 2018 (UTC)
+
I see some alternatives:
  
:: `ros-indigo-desktop` failed because it depends on https://aur.archlinux.org/packages/ros-indigo-catkin/ which depends on `python2-catkin-pkg` (which provided by https://aur.archlinux.org/packages/python2-catkin_pkg/). However AUR RPC seems to be not supports search by Provides field:
+
* Remove the column and move any entries that go against it to "problematic". The description of [[AUR_helpers#Discontinued_or_problematic]] would be adapted accordingly.
:: https://aur.archlinux.org/rpc/?v=5&type=search&arg=python2-catkin-pkg&by=name-desc
+
* Keep the column but remove Green/Grey colors, potentially renaming both the column and its entries.
:: https://aur.archlinux.org/rpc/?v=5&type=info&arg[]=python2-catkin-pkg
 
  
:: For `plasma-desktop-git` i've got dependencies resolved (hopefully correctly):  
+
There's benefits in both approaches but implementing the first is less effort. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 17:21, 14 July 2018 (UTC)
:: https://imgur.com/a/9dA5S however it's gonna build for month or so on my hardware. Mb there is some way to reproduce it with some simpler example? [[User:Actionless|Actionless]] ([[User talk:Actionless|talk]]) 19:24, 5 February 2018 (UTC)
+
-- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 17:21, 14 July 2018 (UTC)

Latest revision as of 17:44, 14 July 2018

Note: Moderation — If your AUR helper does partial upgrades without explicit user intervention (i.e, specifying -Sy on the command line), it has no place on this page or anywhere else on ArchWiki. No exceptions. -- Alad (talk) 09:37, 20 September 2015 (UTC)

"Reference" implementation

This is an alternative to #Reliable_Updater. Instead of an arbitrary set of test packages, we could write up a "specification" on what a reliable AUR helper should do. This should also be more helpful for potential AUR helper writers who otherwise have to wade through complex, fully-featured AUR helpers.

I propose a minimal reference implementation with the following points:

  • No client-side workarounds for upstream limitations. In particular, a reference implementation does not need to score full points on split packages, as makepkg --pkg was removed with pacman 5.
  • Minimal language constructs in e.g. a scripting language like dash.
  • Prefer simplicity of implementation over being fully featured. In particular, an implementation may only support git clone and not git diff.

My initial plan was to keep such an implementation in a man page aurhelper(7) (hosted as part of aurutils), but we can consider including on a sub-page of this article. It could be then linked from the comparison table. Thoughts? -- Alad (talk) 13:28, 8 March 2018 (UTC)

Generally agree with the idea, but I don't think there is a way around a set of PKGBUILDs that could be used to test helpers in a local AUR instance. F.e., I wouldn't define a "reliable" helper that doesn't handle split packages well. Since helpers are tolerated rather than supported, upstream limitations of the AUR might be temporary or permanent, meaning the limitation would actually be in the helper itself (f.e. like regex support). Also, I'd use pseudo code for such a reference as the actual implementation itself doesn't matter, unless you'd like to write a new minimalist helper. Spyhawk (talk) 15:26, 8 March 2018 (UTC)
Apart from FS#56602, I can't think of a case where upstream opposed removing limitations, even if helpers directly benefited. cf. the regex support discussed in [1] or the exit codes finally introduced in makepkg 5.1 which made automatic building significantly easier imo. To me it seems that the main reason we have these AUR limations is due to the minimal interest of helper writers in contributing upstream, and upstream itself having different priorities. Not sure why former is the case, the PHP codebase may play part in it - at least it does for me.
You can keep dash close enough to pseudo-code, I guess less so if you want a complete example rather than exemplary code blocks. For the PKGBUILD set, I use this: [2] -- Alad (talk) 18:34, 8 March 2018 (UTC)
My understanding is that changes that aren't invasive will be accepted upstream, but otherwise might be rejected (see [3]). One prominent example that comes to mind is FS#48796. It's not really relevant anymore since x86 has been officially dropped, but the solution would involve duplicating DB tables on the server, which isn't trivial to implement/migrate. Many of the feature requests involve non-trivial code change, which is the main reason nobody pushed patches; I dislike PHP but the language itself isn't too hard either. For regex, see the bottom of [4], which is the follow-up of your link above.
Your testsuite seems interesting (thanks for the link), but one advantage of having a fixed set of packages is that these packages might be updated and change, making these edge cases difficult to test. This happened quite a few times with my own list of test packages in the past and this was rather annoying. Spyhawk (talk) 20:20, 8 March 2018 (UTC)

Add pacui to the table?

[5] pacuiAUR is kind of an aur-helper-helper. It wraps AUR helpers to provide a nice tui and also adds some of its own features. I don't really use it my self so I can't comment on how it would fit in the table/what results it would get. Just wondering if it fits here. Morganamilo (talk) 07:27, 11 June 2018 (UTC)

Seems to be aimed at Manjaro going by the amount of partial upgrade it runs (e.g. [6]) and weird stuff like "update systemd first". Former alone makes it unsuitable for inclusion in the wiki.
There's some other of these GUIs around that might fit though, like argonAUR. Not sure where to put them; a separate section perhaps? They don't really have unique functionality of their own besides a modified user interface. -- Alad (talk) 09:50, 11 June 2018 (UTC)
A new section like Pacman tips#Graphical front-ends could work. Probably wont be too useful if argon ends up being the only one that's suitable for inclusion. Morganamilo (talk) 12:37, 11 June 2018 (UTC)

Native pacman criteria and IO manipulation

Superseded by #Native pacman revisited. -- Alad (talk) 17:28, 14 July 2018 (UTC)

Proposal summary

do not separate commands or their actions
do not suppress or force pacman behavior by using anything besides native pacman flags, e. g. by altering stdin, stdout

or (proposed in issue #201)

do not modify the pacman prompt

Latter might be overly broad as it includes --noconfirm, but it might make sense when adding "by default". Note: --ask "modifies" the prompt in the sense that it reverses it. -- Alad (talk) 09:00, 15 June 2018 (UTC)

Expand Secure criteria to include other (non-PKGBUILD) bundled files

[7], in particular [8]

The new criteria would be as follows:

  • PKGBUILD, no other files -> Partial
  • Other subset of files that includes the PKGBUILD -> Partial
  • No PKGBUILD -> No
  • All files in the git repo or tar archive -> Yes

Similar to the Diff view column. -- Alad (talk) 16:32, 4 July 2018 (UTC)

good idea, you also mentioned this for aurman a few months ago, see: https://github.com/polygamma/aurman/issues/25#issuecomment-371971155 really a good idea to implement it in a way, so that changes of all known files are being shown Polygamma (talk) 17:07, 4 July 2018 (UTC)
"All files in the git repo or tar archive -> Yes" What exactly do you mean by all files? Build files often contain non text files such as images. Git diff is smart enough to hide these but then you could consider that partial because not all files are covered.
In my opinion all a helper has to do to be secure it pause and allow the user to read the build files. The helper does not even need to offer to open them for you that's the user's responsibility. Anything more than that is nice to have but not strictly needed. Morganamilo (talk) 20:25, 4 July 2018 (UTC)
If this qualifies as "nice to have", there has to be an explicit warning that a green entry in the "Secure" column does not cover other files, files which may cause more harm than the PKGBUILD itself (such as .install files or exectuables called from the PKGBUILD). In either case it's misleading, since you either give the impression that viewing PKGBUILDs alone is sufficient (with the current criteria), or include a warning that diminguishes the value of the criteria in the first place.
Latter is similar to "Native pacman", in that you have a warning at the article top warning against any sort of pacman wrapping, and criteria in the table that ignore this warning, or even reward behavior which goes against it. -- Alad (talk) 17:07, 8 July 2018 (UTC)
That's a fair point, what about changing the name to "show files before sourcing" or something? Seems more accurate. Then it would make sense that not showing .install files to be partial. The only problem I see that it's not as hard hitting as "secure". Morganamilo (talk) 20:11, 8 July 2018 (UTC)
It cuts both ways: it's an effective deterrent against broken helpers, but it also gives the impression that using a "Secure" helper makes usage of the AUR safe, which it definitely doesn't. I'm not sure on what different name to use, though. -- Alad (talk) 17:25, 14 July 2018 (UTC)
I guess "File view" could work. -- Alad (talk) 17:44, 14 July 2018 (UTC)

Native pacman revisited

As a follow-up to #Expand_Secure_criteria_to_include_other_.28non-PKGBUILD.29_bundled_files, the way "Native pacman" is used is misleading, since it depicts wrapping pacman as a generally positive thing. This contradicts the warning bundled with the criteria, as well that using the same syntax for official and user-submitted packages blurs the lines between packages that are supported, and packages that might arbitrary broken things; latter requiring careful attention before installation.

I see some alternatives:

  • Remove the column and move any entries that go against it to "problematic". The description of AUR_helpers#Discontinued_or_problematic would be adapted accordingly.
  • Keep the column but remove Green/Grey colors, potentially renaming both the column and its entries.

There's benefits in both approaches but implementing the first is less effort. -- Alad (talk) 17:21, 14 July 2018 (UTC) -- Alad (talk) 17:21, 14 July 2018 (UTC)