Difference between revisions of "Talk:AUR helpers"

From ArchWiki
Jump to: navigation, search
m
m (Remove "optional" distinction from File review: rw)
 
(904 intermediate revisions by 32 users not shown)
Line 1: Line 1:
Authors of each front end should post a short (2-3 line) description of their creation, along with a homepage link and an AUR link (where applicable). A link to a screenshot page would also be nice (if applicable).
+
== "Reference" implementation ==
  
== Secure column in comparaison table ==
+
This is an alternative to [[Special:Diff/525492#Reliable Updater|#Reliable Updater]]. Instead of an arbitrary set of test packages, we could write up a "specification" on what a reliable AUR helper should do. This should also be more helpful for potential AUR helper writers who otherwise have to wade through complex, fully-featured AUR helpers.
  
Description says "tries to protect the user", I don't know what "tries" means but if we take the default behavior of aur helpers marked as secure :
+
I propose a minimal reference implementation with the following points:
*owl remains on cower to download deps so, it doesn't source PKGBUILD but calls makepkg without further questions, so finally, PKGBUILD is sourced.
 
*aura does the same
 
*pbfetch sources PKGBUILD (even if it removes build ())
 
*pacaur sources PKGBUILD (it can be configured to remains on cower)
 
...
 
  
As far as I know, only cower is secure (it builds/installs nothing) and spinach (and pacaur with secure on) ask before calling makepkg.
+
* No client-side workarounds for upstream limitations. In particular, a reference implementation does not need to score full points on split packages, as {{ic|makepkg --pkg}} was removed with pacman 5.
 +
* Minimal language constructs in e.g. a scripting language like {{Pkg|dash}}.
 +
* Prefer simplicity of implementation over being fully featured. In particular, an implementation may only support git clone and not git diff.
  
The only thing secure in dealing with AUR package is knowing what AUR is about.
+
My initial plan was to keep such an implementation in a man page {{ic|aurhelper(7)}} (hosted as part of aurutils), but we can consider including on a sub-page of this article. It could be then linked from the comparison table. Thoughts? -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 13:28, 8 March 2018 (UTC)
  
[[User:Tuxce|Tuxce]] ([[User talk:Tuxce|talk]]) 12:50, 26 April 2013 (UTC)
+
: Generally agree with the idea, but I don't think there is a way around a set of PKGBUILDs that could be used to test helpers in a local AUR instance. F.e., I wouldn't define a "reliable" helper that doesn't handle split packages well. Since helpers are tolerated rather than supported, upstream limitations of the AUR might be temporary or permanent, meaning the limitation would actually be in the helper itself (f.e. like regex support). Also, I'd use pseudo code for such a reference as the actual implementation itself doesn't matter, unless you'd like to write a new minimalist helper. [[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 15:26, 8 March 2018 (UTC)
: I think it only means asking the user to look and check PKGBUILD, especially for download URL. So it can be renamed to "Check PKGBUILD". -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 00:13, 27 April 2013 (UTC)
 
::My guess is that the "Secure" column is an adaptation of the "Manually Parses PKGBUILD*" column in [https://wiki.archlinux.org/index.php?title=AUR_Helpers&oldid=245047#Comparison_Table this old revision], see also the note at the bottom. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 06:50, 28 April 2013 (UTC)
 
:::Given that at the end, all AUR helpers (exept cower) call makepkg, PKGBUILD are sourced, so I think it should be removed. The word "secure" is just confusing.
 
:::For example, aurget can be considered more "secure" than owl or aura as it ask to review PKGBUILD before it being sourced.
 
:::[[User:Tuxce|Tuxce]] ([[User talk:Tuxce|talk]]) 20:05, 28 April 2013 (UTC)
 
::::Agreed, "Secure" without any kind of explanation doesn't mean anything. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 11:43, 29 April 2013 (UTC)
 
  
::::: "Secure" simply means the PKGBUILDs aren't sourced ***before*** the user has a chance to inspect the PKGBUILD himself. Makepkg does source the PKGBUILD obviously, it doesn't mean using it is insecure (but using it blindly is). For example, packer source the PKGBUILD before showing it to the user, unless the --preview option is passed. And so does pacaur (when using the bash solver), although the PKGBUILDs are scanned for potential malicious pseudo code using sudo. Spyhawk 12:07, 15 May 2013 (UTC)
+
::Apart from {{Bug|56602}}, I can't think of a case where upstream ''opposed'' removing limitations, even if helpers directly benefited. cf. the regex support discussed in [https://lists.archlinux.org/pipermail/aur-dev/2016-May/004036.html] or the exit codes finally introduced in makepkg 5.1 which made automatic building significantly easier imo. To me it seems that the main reason we have these AUR limations is due to the minimal interest of helper writers in contributing upstream, and upstream itself having different priorities. Not sure why former is the case, the PHP codebase may play part in it - at least it does for me.
 +
::You can keep ''dash'' close enough to pseudo-code, I guess less so if you want a complete example rather than exemplary code blocks. For the PKGBUILD set, I use this: [https://github.com/AladW/aurutils-test/blob/master/package.t#L11-L31] -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:34, 8 March 2018 (UTC)
  
::::::So, just to include also cower in the definition, I think a more correct formulation would be: ''"Secure means that the application, by default, doesn't source the PKGBUILD at all, or, before doing it, reminds the user and offers him the opportunity to inspect it manually"''.
+
::: My understanding is that changes that aren't invasive will be accepted upstream, but otherwise might be rejected (see [https://lists.archlinux.org/pipermail/aur-dev/2018-January/004421.html]). One prominent example that comes to mind is {{Bug|48796}}. It's not really relevant anymore since x86 has been officially dropped, but the solution would involve duplicating DB tables on the server, which isn't trivial to implement/migrate. Many of the feature requests involve non-trivial code change, which is the main reason nobody pushed patches; I dislike PHP but the language itself isn't too hard either. For regex, see the bottom of [https://lists.archlinux.org/pipermail/aur-dev/2016-May/004044.html], which is the follow-up of your link above.
::::::Note though that the inspection of a PKGBUILD is always a separate human operation that the user has to do deliberately, and it's independent of the helper being used; this means that every "secure" application can be used insecurely if the user doesn't inspect the PKGBUILD, and vice versa every "insecure" application can be used securely if e.g. the user inspects the PKGBUILD through the AUR website.
+
::: Your testsuite seems interesting (thanks for the link), but one advantage of having a fixed set of packages is that these packages might be updated and change, making these edge cases difficult to test. This happened quite a few times with my own list of test packages in the past and this was rather annoying. [[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 20:20, 8 March 2018 (UTC)
::::::Also, the "by default" clause is IMHO very important, in fact you could for example use packer with an alias that runs it with the --preview flag, thus making it a "secure" application, with just such a minimal change.
 
::::::By the way, I haven't used yaourt for a while, but IIRC it used to let the user review the PKGBUILD after downloading it; it's not clear why it's not considered secure.
 
::::::In the end, my opinion is that every application offers different degrees of security, and trying to sum all up in a Yes/No column is too simplistic: I would leave more verbose security considerations in the descriptions of every application above the table, or at least I would add some words in the "Specificity" column.
 
:::::: -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 16:41, 18 May 2013 (UTC)
 
  
::::::: I like your definition, but a shorter one would be welcome (if that is possible?). Of course the security of helper heavily depends on the user, but it is expected to take his full responsibility and check the PKGBUILDs. An "insecure" helper simply has a security flaw, independently of the user.
+
== Expand Secure criteria to include other (non-PKGBUILD) bundled files ==
::::::: Yaourt does scan dependencies before letting the user having a look at the PKGBUILDs, so that is similar to what packer does by default. However, yaourt seems to do some other step in between but I haven't been able to understand why and for which purpose (yaourt's code is a bit cryptic to me, Tuxce might better explain what this is fully about here).
+
 
::::::: I do agree that it is hard to summarize the security aspect with a "Yes/No" box only, and so is the accuracy of the dependencies solver. Security is always done at the expense of the efficiency of the helper, and actually the "fully secure" helper are also the worst in solving dependencies. On the other hand, bash solvers are fully accurate, but are the less secure. Hopefully, this issue will be solved soon and the JSON rpc interface will become much more reliable, so helper could entirely rely on it instead of looking at the downloaded PKGBUILDs.
+
[https://github.com/Jguer/yay/issues/493], in particular [https://github.com/Jguer/yay/issues/493#issuecomment-402522467]
::::::: [[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 12:18, 19 May 2013 (UTC)
+
 
 +
The new criteria would be as follows:
 +
* PKGBUILD, no other files -> Partial
 +
* Other subset of files that includes the PKGBUILD -> Partial
 +
* No PKGBUILD -> No
 +
* All files in the git repo or tar archive -> Yes
 +
 
 +
Similar to the ''Diff view'' column. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 16:32, 4 July 2018 (UTC)
 +
 
 +
: good idea, you also mentioned this for aurman a few months ago, see: https://github.com/polygamma/aurman/issues/25#issuecomment-371971155 really a good idea to implement it in a way, so that changes of all known files are being shown [[User:Polygamma|Polygamma]] ([[User talk:Polygamma|talk]]) 17:07, 4 July 2018 (UTC)
 +
 
 +
: "All files in the git repo or tar archive -> Yes" What exactly do you mean by all files? Build files often contain non text files such as images. Git diff is smart enough to hide these but then you could consider that partial because not all files are covered.
 +
: In my opinion all a helper has to do to be secure it pause and allow the user to read the build files. The helper does not even need to offer to open them for you that's the user's responsibility. Anything more than that is nice to have but not strictly needed. [[User:Morganamilo|Morganamilo]] ([[User talk:Morganamilo|talk]]) 20:25, 4 July 2018 (UTC)
 +
 
 +
:: If this qualifies as "nice to have", there has to be an explicit warning that a green entry in the "Secure" column does not cover other files, files which may cause more harm than the PKGBUILD itself (such as {{ic|.install}} files or exectuables called from the PKGBUILD). In either case it's misleading, since you either give the impression that viewing PKGBUILDs alone is sufficient (with the current criteria), or include a warning that diminguishes the value of the criteria in the first place.  
 +
:: Latter is similar to "Native pacman", in that you have a warning at the article top warning against any sort of pacman wrapping, and criteria in the table that ignore this warning, or even reward behavior which goes against it. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 17:07, 8 July 2018 (UTC)
 +
 
 +
::: That's a fair point, what about changing the name to "show files before sourcing" or something? Seems more accurate. Then it would make sense that not showing .install files to be partial. The only problem I see that it's not as hard hitting as "secure". [[User:Morganamilo|Morganamilo]] ([[User talk:Morganamilo|talk]]) 20:11, 8 July 2018 (UTC)
 +
 
 +
:::: It cuts both ways: it's an effective deterrent against broken helpers, but it also gives the impression that using a "Secure" helper makes usage of the AUR safe, which it definitely doesn't. I'm not sure on what different name to use, though. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 17:25, 14 July 2018 (UTC)
 +
 
 +
::::: I guess "File view" could work. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 17:44, 14 July 2018 (UTC)
 +
 
 +
:::::: The column name was updated to "File review". Are there remaining helpers that only display the PKGBUILD? ({{AUR|trizen}} springs to mind) -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 15:30, 23 August 2018 (UTC)
 +
 
 +
== New test cases for dependency resolution ==
 +
 
 +
ros-foo-desktop-meta have always been difficult to build, even more so with KDE4 libs moved to AUR (see arch-dev-public). Besides the sheer number of dependencies, they otherwise have little interesting properties either.
 +
 
 +
I propose to instead use various cross-compilation packages as test cases, e.g. {{AUR|mingw-w64-zlib}} and {{AUR|powerpc-linux-gnu-gcc}}. These appear very efficient at exposing problems with complex dependency algorithms (see for example [https://github.com/Jguer/yay/issues/695] or ''aurman'''s issues with {{AUR|nsis}}) and don't take 2 years to build either. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 11:34, 14 September 2018 (UTC)
 +
 
 +
:We could also add some simpler cases, like {{AUR|fortune-mod-all-en}}, and add details similar to the ''Split packages'' description. That way, all existing entries with "Yes" in ''Reliable solver'' would at minimum have "Partial". -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 12:01, 14 September 2018 (UTC)
 +
 
 +
:I believe the mingw stuff has a bunch of circular dependencies and a bootstrapping process. Do you think AUR helper's should be expected to handle this? [[User:Morganamilo|Morganamilo]] ([[User talk:Morganamilo|talk]]) 15:25, 14 September 2018 (UTC)
 +
 
 +
:: No, I don't think so. There will always be cases that can only be dealt reasonably manually, simply because the involved complexity in implementation isn't worth it. See also related sicussion [[Talk:AUR_helpers#.22Reference.22_implementation]] above, where a set of fixed reference packages would be better than live packages. No idea how to dealt with than without a local AUR instance though. -[[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 10:42, 15 September 2018 (UTC)
 +
 
 +
::: The mingw packages haven't had cycles in (global) depends for a while. As such, {{ic|makepkg -r}} works fine for these packages without manual intervention or "bootstrapping". If helpers fail, it may be because of handling split depends contrary to PKGBUILD(5), or other flaws in their dependency algorithms. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 10:05, 18 September 2018 (UTC)
 +
 
 +
== <s>remove Batch interaction 2</s> ==
 +
 
 +
:Some previous discussion: [https://wiki.archlinux.org/index.php?title=Talk:AUR_helpers&oldid=545415#proper_batch_interaction_2_and_3]
 +
On IRC there was some confusion on what "Summary of package upgrades" is supposed to mean. Literally, it means that any (AUR) upgrades or installations a helper will perform are printed to screen, similar to pacman's VerbosePkgLists. This is simple to implement - by definition a AUR helper must know about package names and their versions - and does not warrant a separate mention.
 +
 
 +
Historically, it's about pacman wrappers running -Sy so they can 1. save a single keypress 2. color the output. Former is a questionable argument when all pacman wrappers have a single prompt per package (so potentially hundreds of keypresses), and latter is already available from pacman itself. (with the Color option) As such, I propose to remove batch interaction 2 from the criteria. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 12:52, 7 November 2018 (UTC)
 +
 
 +
:: If I might jump in, I don't think "one less key press" is a valid argument, nor does the color which is orthogonal to the feature. Batch interaction is not strictly about reducing the number of keys one has to enter, but it is about reducing the time required by... well, batching every step at the beginning. Batch 2 is about grouping repo *and* AUR packages summaries and initial validation together, rather than doing the repo packages update, then displaying the AUR summary before the AUR packages update. I'd suggest adjusting the current loose definition here. --[[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 14:00, 7 November 2018 (UTC)
 +
 
 +
::You what? The "color" that pacman does, is bold text for some things, making "warning" in yellow and "error" in red, and, for the -Ss or -Qs operations, coloring the repository name in purple, the version in green, and the "[installed]" in light blue.
 +
::But the output of pacman -S(u) contains practically no color, and *significantly* less color than the average AUR helper. Yaourt could be considered the trendsetter in that regard, and it colors each repository differently, as well as making old versions show in green and new versions in red, on top of pacman's existing complete lack of color for that area of the UI.
 +
::Furthermore, the actual main thing which, say, yaourt provides, is 1) grouping AUR updates in the same VerbosePkgLists style, 2) differentiating between packages which are being upgraded, vs. being pkgrel-bumped, vs. being newly installed, 3) listing which package update now requires a new package to be installed. These are fairly significant deviations from pacman's UI, and IMHO more noticeable than the color. -- [[User:Eschwartz|Eschwartz]] ([[User talk:Eschwartz|talk]]) 15:50, 9 November 2018 (UTC)
 +
 
 +
:::So as I understand either argument, neither disagrees with "2" only being relevant to pacman wrappers that run {{ic|pacman -Sy}}. As such, I'm not sure why it should be a general criterium, rather than a specificity. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 13:09, 28 November 2018 (UTC)
 +
 
 +
:::: It's indeed only specific to pacman wrapper, but still an important part of batch interaction (1 action vs 2 actions separated by some amount of time). I'm not sure why it shouldn't be mentioned for the sole reason it only applies to wrappers. I'd suggest to either mention it (with a correct definition), or move all batch interactions as specificity - which I'd personally be fine with. -- [[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 15:25, 28 November 2018 (UTC)
 +
 
 +
::::IMHO whether it uses {{ic|pacman -Sy}} is an implementation detail. More importantly, I think it qualifies as a ''dependency'' of batch interaction, but is not, itself, batch interaction.
 +
::::I'd also like to note that Batch interaction #1 is, unless I totally miss my guess, a direct copy of the "file review" column.
 +
::::Neither 2 nor 3 are something which can be universally defined as necessary for robustly doing anything, unlike most columns, and unlike the implementation language aren't fundamentally relevant to all programs by default, I think it is fair to demote them both to specificity as "you may prefer to do it this way instead of that way". -- [[User:Eschwartz|Eschwartz]] ([[User talk:Eschwartz|talk]]) 15:45, 28 November 2018 (UTC)
 +
 
 +
:::::The term "batch interaction" used to be included as a specificity, without explicit definition it was however not clear what this meant. I'm fine to go back to this approach, as long as we have some meaningful definition/term for the separate "batch interaction" aspects.
 +
:::::Regarding #1, it's not a direct copy since "file review" can be done on-demand, i.e. whenever a new PKGBUILD is about to be sourced (yaourt), and not ahead of time before ''any'' build process begins (pacaur & co). -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 14:00, 30 November 2018 (UTC)
 +
 
 +
::::::In a previous discussion we mentioned to have 4-5 entries per Specificity cell. In anticipation of the above additions, I've removed the (imo superficial) "sort by votes/popularity" criterion. Please review: [https://wiki.archlinux.org/index.php?title=AUR_helpers&diff=557839&oldid=557838] -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 16:09, 30 November 2018 (UTC)
 +
 
 +
::::::I guess it is sort of obvious that batch interaction means any features that it has, including file review, will be done via batch operations rather than on-demand. So it is still redundant IMO. -- [[User:Eschwartz|Eschwartz]] ([[User talk:Eschwartz|talk]]) 23:45, 1 December 2018 (UTC)
 +
 
 +
:::::: Unlike a few years ago, batch interaction 1 is now a standard feature in all maintained helpers. It doesn't make much sense to keep an extra column for the sole purpose of mentioning it. I'd move everything to specificity imho. If you need to keep definitions, I'd suggest something like: "Ability to prompt before the build process and package transactions", in particular: 1/ "Inspection of package files or their differences" (same as current), 2/ "Combined summary of repository and AUR package upgrades", 3/ "Resolution of package conflicts and choice of providers." (I'm not sure what the current "installation" refers to here) -- [[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 00:30, 2 December 2018 (UTC)
 +
 
 +
::::::: What do you think of "resolve package conflicts" and "combined upgrade" (for 2/ resp. 3/) as specifity? (see my draft). Your descriptions sound good though, and can be referred to from the Specificity column if required. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 11:46, 2 December 2018 (UTC)
 +
 
 +
:::::::: I dislike how my previous suggestions are overly long, but I'm afraid "resolve package conflicts" and "combined upgrade" are too generic and not descriptive enough for someone that doesn't know what batch interaction is. Ideally, these should emphasis that the actions are done prior to build and transactions. Maybe "early conflicts resolution" and "combined upgrade summary"? Rest of the draft LGTM. -- [[User:Spyhawk|Spyhawk]] ([[User talk:Spyhawk|talk]]) 15:37, 2 December 2018 (UTC)
 +
 
 +
::::::::: I prefer the longer descriptions. We can refer to them in the Specificity column, e.g. through ''Batch interaction 2/3''. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 13:54, 8 December 2018 (UTC)
 +
 
 +
::::::::: I just added "batch interaction" for now if the helper at least supports batch 3/. Most of the other stuff in the Specificity column was not interesting (functionality such as AUR comments and ABS support is easily replicated with external tools like {{AUR|aur-talk-git}} or {{Pkg|asp}}) so I've removed it. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 14:10, 8 December 2018 (UTC)
 +
 
 +
== <s>Checkmarks instead of colors</s> ==
 +
 
 +
I propose to use ✅ (U+2705) and ❎ (U+274E) instead of [[Template:Yes]] and [[Template:No]]. While uncommon in the wiki, the checkmarks are more subtle than fully colored cells, and might lead to a more thoughtful response when choosing helpers (compare the common "pick the all green row" responses we have now).
 +
 
 +
Example: [http://i.imgur.com/UzMFr7u.png] -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 16:20, 30 November 2018 (UTC)
 +
 
 +
:That check mark has different appearance depending on [https://emojipedia.org/white-heavy-check-mark/ Emoji font]. There is [[Template:Ya]] and [[Template:Na]] that use colored text-presentation symbols, but one would probably figure out that "pick the all green row" is similar to "pick the row with all checkmarks", especially since both ✅ (U+2705) and [[Template:Ya]] have green color. -- [[User:Svito|Svito]] ([[User talk:Svito|talk]]) 18:28, 30 November 2018 (UTC)
 +
 
 +
:You could also use plain text "Yes" and "No" instead of the templates if you want to skip the colors. But due to the sorting criteria users probably tend to choose from the top... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:29, 30 November 2018 (UTC)
 +
 
 +
::Draft [[User:Alad/AUR_helpers]]:
 +
::* Removes sorting criteria, sort alphabetically instead;
 +
::* Remove batch interaction 2 and 3 as column entries, add "resolve package conflicts" and "combined upgrade" to specificity instead;
 +
::* Replace [[Template:Yes]] with [[Template:Ya]] and [[Template:No]] with [[Template:Na]];
 +
::: As an alternative to the checkmarks (better suited for screenreaders), see: [http://i.imgur.com/hwK9tl9.png]
 +
::* Remove some redundant specificity entries to keep a maximum of 4 entries;
 +
::* Remove Batch interaction 1;
 +
::For the last point, while it's a separate aspect of "file review", 80% of the helpers support it by now. I'd rather have the additional space from having one column less. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:06, 1 December 2018 (UTC)
 +
 
 +
:::In line with the added neutrality from removing the sorting criteria, I'd also suggest to move "stalled" entries back (as non-grey entries) to the table. It should already be clear that any helper with crosses across the board is "stalled". -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:12, 1 December 2018 (UTC)
 +
 
 +
::::Implemented changes in the draft, apart from the checkmarks due to [[accessibility]] concerns. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 14:15, 8 December 2018 (UTC)
 +
 
 +
== Responsive tables ==
 +
:Moved from [[#Checkmarks instead of colors]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 14:14, 8 December 2018 (UTC)
 +
 
 +
The only thing that still bothers me is that even with the limit on the amount of specificities, there's so many columns in the table (especially for pacman wrappers), that on small screens every word is split by a newline. [[User:Morganamilo]] suggested to use README links instead of descriptions, but I'm not sure how that would pan out. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]])
 +
 
 +
:[[User:Larivact/drafts/Template:RespCell]]. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:50, 2 December 2018 (UTC)
 +
 
 +
::Thanks, it looks nice on my screen (1366x768): [http://i.imgur.com/chqzSvT.png] -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 13:42, 2 December 2018 (UTC)
 +
 
 +
:::That CSS only takes affect if your browser width is below 600px. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 14:51, 2 December 2018 (UTC)
 +
 
 +
::::So much for placebo effect... -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 15:09, 2 December 2018 (UTC)
 +
 
 +
:::::Yeah I was a bit confused by your response. Just to clarify tables need to be marked up differently for this to work, you can see an example in my draft. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 15:20, 2 December 2018 (UTC)
 +
 
 +
== <s>Restore sections</s> ==
 +
 
 +
I seriously dislike [[Special:Diff/557837]] because it makes the page less accessible and is semantically wrong. You should be able to link any section you like, it is the job of the users to look around when they were linked to a specific section. I think we neither can nor should attempt to make our articles idiot-proof by substituting sections with definition terms.--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 08:01, 2 December 2018 (UTC)
 +
 
 +
:The only way to make it idiot proof is to either delete this article or make it an alphabetical list - both of which are still very tempting to me. In any case, I don't think the separated tables (with sections or with definition terms) are ideal either - it's only there because pacman wrappers are broken to such an extent they need to be specifically warned against. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 11:44, 2 December 2018 (UTC)
 +
 
 +
:One thing to keep in mind (and the reason for this "special treatment") is that the [[AUR helpers]] article is systematically abused to encourage help vampirism (resp. encouragement to ignore supported distribution tools) by users alike. I've restored the sections for now, but adding {{ic|<nowiki>__NOTOC__</nowiki>}} should be a consideration. It won't prevent copy pasting of links but might at least force the "AUR helpers are not supported" warning into view. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 11:54, 2 December 2018 (UTC)
 +
 
 +
::[https://wiki.archlinux.org/index.php?title=AUR_helpers&diff=558612&oldid=558121], closing -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 13:40, 8 December 2018 (UTC)
 +
 
 +
== <s>Remove "optional" distinction from File review</s> ==
 +
 
 +
The description already says "by default", and I have no idea why we should encourage the notion of do-not-review-unless-opt-in. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 14:30, 8 December 2018 (UTC)
 +
 
 +
:Yes, please change this. It's anyways describing a supported feature, the implication is that most tools likely offer you the ability to skip past. Also we can just remove the column entirely from the "search & download" helpers, surely... or mark them as not applicable rather than "yes". -- [[User:Eschwartz|Eschwartz]] ([[User talk:Eschwartz|talk]]) 05:52, 9 December 2018 (UTC)
 +
 
 +
::Done & done. - [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 12:00, 9 December 2018 (UTC)
 +
 
 +
:::Wait, are all these helpers don't-review-by-default? -- [[User:Eschwartz|Eschwartz]] ([[User talk:Eschwartz|talk]]) 15:23, 9 December 2018 (UTC)
 +
 
 +
::::Yes. (I tested the bunch of them back in the day, and I don't know of any changes since then.) -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 16:22, 9 December 2018 (UTC)

Latest revision as of 16:22, 9 December 2018

"Reference" implementation

This is an alternative to #Reliable Updater. Instead of an arbitrary set of test packages, we could write up a "specification" on what a reliable AUR helper should do. This should also be more helpful for potential AUR helper writers who otherwise have to wade through complex, fully-featured AUR helpers.

I propose a minimal reference implementation with the following points:

  • No client-side workarounds for upstream limitations. In particular, a reference implementation does not need to score full points on split packages, as makepkg --pkg was removed with pacman 5.
  • Minimal language constructs in e.g. a scripting language like dash.
  • Prefer simplicity of implementation over being fully featured. In particular, an implementation may only support git clone and not git diff.

My initial plan was to keep such an implementation in a man page aurhelper(7) (hosted as part of aurutils), but we can consider including on a sub-page of this article. It could be then linked from the comparison table. Thoughts? -- Alad (talk) 13:28, 8 March 2018 (UTC)

Generally agree with the idea, but I don't think there is a way around a set of PKGBUILDs that could be used to test helpers in a local AUR instance. F.e., I wouldn't define a "reliable" helper that doesn't handle split packages well. Since helpers are tolerated rather than supported, upstream limitations of the AUR might be temporary or permanent, meaning the limitation would actually be in the helper itself (f.e. like regex support). Also, I'd use pseudo code for such a reference as the actual implementation itself doesn't matter, unless you'd like to write a new minimalist helper. Spyhawk (talk) 15:26, 8 March 2018 (UTC)
Apart from FS#56602, I can't think of a case where upstream opposed removing limitations, even if helpers directly benefited. cf. the regex support discussed in [1] or the exit codes finally introduced in makepkg 5.1 which made automatic building significantly easier imo. To me it seems that the main reason we have these AUR limations is due to the minimal interest of helper writers in contributing upstream, and upstream itself having different priorities. Not sure why former is the case, the PHP codebase may play part in it - at least it does for me.
You can keep dash close enough to pseudo-code, I guess less so if you want a complete example rather than exemplary code blocks. For the PKGBUILD set, I use this: [2] -- Alad (talk) 18:34, 8 March 2018 (UTC)
My understanding is that changes that aren't invasive will be accepted upstream, but otherwise might be rejected (see [3]). One prominent example that comes to mind is FS#48796. It's not really relevant anymore since x86 has been officially dropped, but the solution would involve duplicating DB tables on the server, which isn't trivial to implement/migrate. Many of the feature requests involve non-trivial code change, which is the main reason nobody pushed patches; I dislike PHP but the language itself isn't too hard either. For regex, see the bottom of [4], which is the follow-up of your link above.
Your testsuite seems interesting (thanks for the link), but one advantage of having a fixed set of packages is that these packages might be updated and change, making these edge cases difficult to test. This happened quite a few times with my own list of test packages in the past and this was rather annoying. Spyhawk (talk) 20:20, 8 March 2018 (UTC)

Expand Secure criteria to include other (non-PKGBUILD) bundled files

[5], in particular [6]

The new criteria would be as follows:

  • PKGBUILD, no other files -> Partial
  • Other subset of files that includes the PKGBUILD -> Partial
  • No PKGBUILD -> No
  • All files in the git repo or tar archive -> Yes

Similar to the Diff view column. -- Alad (talk) 16:32, 4 July 2018 (UTC)

good idea, you also mentioned this for aurman a few months ago, see: https://github.com/polygamma/aurman/issues/25#issuecomment-371971155 really a good idea to implement it in a way, so that changes of all known files are being shown Polygamma (talk) 17:07, 4 July 2018 (UTC)
"All files in the git repo or tar archive -> Yes" What exactly do you mean by all files? Build files often contain non text files such as images. Git diff is smart enough to hide these but then you could consider that partial because not all files are covered.
In my opinion all a helper has to do to be secure it pause and allow the user to read the build files. The helper does not even need to offer to open them for you that's the user's responsibility. Anything more than that is nice to have but not strictly needed. Morganamilo (talk) 20:25, 4 July 2018 (UTC)
If this qualifies as "nice to have", there has to be an explicit warning that a green entry in the "Secure" column does not cover other files, files which may cause more harm than the PKGBUILD itself (such as .install files or exectuables called from the PKGBUILD). In either case it's misleading, since you either give the impression that viewing PKGBUILDs alone is sufficient (with the current criteria), or include a warning that diminguishes the value of the criteria in the first place.
Latter is similar to "Native pacman", in that you have a warning at the article top warning against any sort of pacman wrapping, and criteria in the table that ignore this warning, or even reward behavior which goes against it. -- Alad (talk) 17:07, 8 July 2018 (UTC)
That's a fair point, what about changing the name to "show files before sourcing" or something? Seems more accurate. Then it would make sense that not showing .install files to be partial. The only problem I see that it's not as hard hitting as "secure". Morganamilo (talk) 20:11, 8 July 2018 (UTC)
It cuts both ways: it's an effective deterrent against broken helpers, but it also gives the impression that using a "Secure" helper makes usage of the AUR safe, which it definitely doesn't. I'm not sure on what different name to use, though. -- Alad (talk) 17:25, 14 July 2018 (UTC)
I guess "File view" could work. -- Alad (talk) 17:44, 14 July 2018 (UTC)
The column name was updated to "File review". Are there remaining helpers that only display the PKGBUILD? (trizenAUR springs to mind) -- Alad (talk) 15:30, 23 August 2018 (UTC)

New test cases for dependency resolution

ros-foo-desktop-meta have always been difficult to build, even more so with KDE4 libs moved to AUR (see arch-dev-public). Besides the sheer number of dependencies, they otherwise have little interesting properties either.

I propose to instead use various cross-compilation packages as test cases, e.g. mingw-w64-zlibAUR and powerpc-linux-gnu-gccAUR. These appear very efficient at exposing problems with complex dependency algorithms (see for example [7] or aurman's issues with nsisAUR) and don't take 2 years to build either. -- Alad (talk) 11:34, 14 September 2018 (UTC)

We could also add some simpler cases, like fortune-mod-all-enAUR, and add details similar to the Split packages description. That way, all existing entries with "Yes" in Reliable solver would at minimum have "Partial". -- Alad (talk) 12:01, 14 September 2018 (UTC)
I believe the mingw stuff has a bunch of circular dependencies and a bootstrapping process. Do you think AUR helper's should be expected to handle this? Morganamilo (talk) 15:25, 14 September 2018 (UTC)
No, I don't think so. There will always be cases that can only be dealt reasonably manually, simply because the involved complexity in implementation isn't worth it. See also related sicussion Talk:AUR_helpers#.22Reference.22_implementation above, where a set of fixed reference packages would be better than live packages. No idea how to dealt with than without a local AUR instance though. -Spyhawk (talk) 10:42, 15 September 2018 (UTC)
The mingw packages haven't had cycles in (global) depends for a while. As such, makepkg -r works fine for these packages without manual intervention or "bootstrapping". If helpers fail, it may be because of handling split depends contrary to PKGBUILD(5), or other flaws in their dependency algorithms. -- Alad (talk) 10:05, 18 September 2018 (UTC)

remove Batch interaction 2

Some previous discussion: [8]

On IRC there was some confusion on what "Summary of package upgrades" is supposed to mean. Literally, it means that any (AUR) upgrades or installations a helper will perform are printed to screen, similar to pacman's VerbosePkgLists. This is simple to implement - by definition a AUR helper must know about package names and their versions - and does not warrant a separate mention.

Historically, it's about pacman wrappers running -Sy so they can 1. save a single keypress 2. color the output. Former is a questionable argument when all pacman wrappers have a single prompt per package (so potentially hundreds of keypresses), and latter is already available from pacman itself. (with the Color option) As such, I propose to remove batch interaction 2 from the criteria. -- Alad (talk) 12:52, 7 November 2018 (UTC)

If I might jump in, I don't think "one less key press" is a valid argument, nor does the color which is orthogonal to the feature. Batch interaction is not strictly about reducing the number of keys one has to enter, but it is about reducing the time required by... well, batching every step at the beginning. Batch 2 is about grouping repo *and* AUR packages summaries and initial validation together, rather than doing the repo packages update, then displaying the AUR summary before the AUR packages update. I'd suggest adjusting the current loose definition here. --Spyhawk (talk) 14:00, 7 November 2018 (UTC)
You what? The "color" that pacman does, is bold text for some things, making "warning" in yellow and "error" in red, and, for the -Ss or -Qs operations, coloring the repository name in purple, the version in green, and the "[installed]" in light blue.
But the output of pacman -S(u) contains practically no color, and *significantly* less color than the average AUR helper. Yaourt could be considered the trendsetter in that regard, and it colors each repository differently, as well as making old versions show in green and new versions in red, on top of pacman's existing complete lack of color for that area of the UI.
Furthermore, the actual main thing which, say, yaourt provides, is 1) grouping AUR updates in the same VerbosePkgLists style, 2) differentiating between packages which are being upgraded, vs. being pkgrel-bumped, vs. being newly installed, 3) listing which package update now requires a new package to be installed. These are fairly significant deviations from pacman's UI, and IMHO more noticeable than the color. -- Eschwartz (talk) 15:50, 9 November 2018 (UTC)
So as I understand either argument, neither disagrees with "2" only being relevant to pacman wrappers that run pacman -Sy. As such, I'm not sure why it should be a general criterium, rather than a specificity. -- Alad (talk) 13:09, 28 November 2018 (UTC)
It's indeed only specific to pacman wrapper, but still an important part of batch interaction (1 action vs 2 actions separated by some amount of time). I'm not sure why it shouldn't be mentioned for the sole reason it only applies to wrappers. I'd suggest to either mention it (with a correct definition), or move all batch interactions as specificity - which I'd personally be fine with. -- Spyhawk (talk) 15:25, 28 November 2018 (UTC)
IMHO whether it uses pacman -Sy is an implementation detail. More importantly, I think it qualifies as a dependency of batch interaction, but is not, itself, batch interaction.
I'd also like to note that Batch interaction #1 is, unless I totally miss my guess, a direct copy of the "file review" column.
Neither 2 nor 3 are something which can be universally defined as necessary for robustly doing anything, unlike most columns, and unlike the implementation language aren't fundamentally relevant to all programs by default, I think it is fair to demote them both to specificity as "you may prefer to do it this way instead of that way". -- Eschwartz (talk) 15:45, 28 November 2018 (UTC)
The term "batch interaction" used to be included as a specificity, without explicit definition it was however not clear what this meant. I'm fine to go back to this approach, as long as we have some meaningful definition/term for the separate "batch interaction" aspects.
Regarding #1, it's not a direct copy since "file review" can be done on-demand, i.e. whenever a new PKGBUILD is about to be sourced (yaourt), and not ahead of time before any build process begins (pacaur & co). -- Alad (talk) 14:00, 30 November 2018 (UTC)
In a previous discussion we mentioned to have 4-5 entries per Specificity cell. In anticipation of the above additions, I've removed the (imo superficial) "sort by votes/popularity" criterion. Please review: [9] -- Alad (talk) 16:09, 30 November 2018 (UTC)
I guess it is sort of obvious that batch interaction means any features that it has, including file review, will be done via batch operations rather than on-demand. So it is still redundant IMO. -- Eschwartz (talk) 23:45, 1 December 2018 (UTC)
Unlike a few years ago, batch interaction 1 is now a standard feature in all maintained helpers. It doesn't make much sense to keep an extra column for the sole purpose of mentioning it. I'd move everything to specificity imho. If you need to keep definitions, I'd suggest something like: "Ability to prompt before the build process and package transactions", in particular: 1/ "Inspection of package files or their differences" (same as current), 2/ "Combined summary of repository and AUR package upgrades", 3/ "Resolution of package conflicts and choice of providers." (I'm not sure what the current "installation" refers to here) -- Spyhawk (talk) 00:30, 2 December 2018 (UTC)
What do you think of "resolve package conflicts" and "combined upgrade" (for 2/ resp. 3/) as specifity? (see my draft). Your descriptions sound good though, and can be referred to from the Specificity column if required. -- Alad (talk) 11:46, 2 December 2018 (UTC)
I dislike how my previous suggestions are overly long, but I'm afraid "resolve package conflicts" and "combined upgrade" are too generic and not descriptive enough for someone that doesn't know what batch interaction is. Ideally, these should emphasis that the actions are done prior to build and transactions. Maybe "early conflicts resolution" and "combined upgrade summary"? Rest of the draft LGTM. -- Spyhawk (talk) 15:37, 2 December 2018 (UTC)
I prefer the longer descriptions. We can refer to them in the Specificity column, e.g. through Batch interaction 2/3. -- Alad (talk) 13:54, 8 December 2018 (UTC)
I just added "batch interaction" for now if the helper at least supports batch 3/. Most of the other stuff in the Specificity column was not interesting (functionality such as AUR comments and ABS support is easily replicated with external tools like aur-talk-gitAUR or asp) so I've removed it. -- Alad (talk) 14:10, 8 December 2018 (UTC)

Checkmarks instead of colors

I propose to use ✅ (U+2705) and ❎ (U+274E) instead of Template:Yes and Template:No. While uncommon in the wiki, the checkmarks are more subtle than fully colored cells, and might lead to a more thoughtful response when choosing helpers (compare the common "pick the all green row" responses we have now).

Example: [10] -- Alad (talk) 16:20, 30 November 2018 (UTC)

That check mark has different appearance depending on Emoji font. There is Template:Ya and Template:Na that use colored text-presentation symbols, but one would probably figure out that "pick the all green row" is similar to "pick the row with all checkmarks", especially since both ✅ (U+2705) and Template:Ya have green color. -- Svito (talk) 18:28, 30 November 2018 (UTC)
You could also use plain text "Yes" and "No" instead of the templates if you want to skip the colors. But due to the sorting criteria users probably tend to choose from the top... -- Lahwaacz (talk) 20:29, 30 November 2018 (UTC)
Draft User:Alad/AUR_helpers:
  • Removes sorting criteria, sort alphabetically instead;
  • Remove batch interaction 2 and 3 as column entries, add "resolve package conflicts" and "combined upgrade" to specificity instead;
  • Replace Template:Yes with Template:Ya and Template:No with Template:Na;
As an alternative to the checkmarks (better suited for screenreaders), see: [11]
  • Remove some redundant specificity entries to keep a maximum of 4 entries;
  • Remove Batch interaction 1;
For the last point, while it's a separate aspect of "file review", 80% of the helpers support it by now. I'd rather have the additional space from having one column less. -- Alad (talk) 19:06, 1 December 2018 (UTC)
In line with the added neutrality from removing the sorting criteria, I'd also suggest to move "stalled" entries back (as non-grey entries) to the table. It should already be clear that any helper with crosses across the board is "stalled". -- Alad (talk) 19:12, 1 December 2018 (UTC)
Implemented changes in the draft, apart from the checkmarks due to accessibility concerns. -- Alad (talk) 14:15, 8 December 2018 (UTC)

Responsive tables

Moved from #Checkmarks instead of colors. -- Alad (talk) 14:14, 8 December 2018 (UTC)

The only thing that still bothers me is that even with the limit on the amount of specificities, there's so many columns in the table (especially for pacman wrappers), that on small screens every word is split by a newline. User:Morganamilo suggested to use README links instead of descriptions, but I'm not sure how that would pan out. -- Alad (talk)

User:Larivact/drafts/Template:RespCell. --Larivact (talk) 07:50, 2 December 2018 (UTC)
Thanks, it looks nice on my screen (1366x768): [12] -- Alad (talk) 13:42, 2 December 2018 (UTC)
That CSS only takes affect if your browser width is below 600px. --Larivact (talk) 14:51, 2 December 2018 (UTC)
So much for placebo effect... -- Alad (talk) 15:09, 2 December 2018 (UTC)
Yeah I was a bit confused by your response. Just to clarify tables need to be marked up differently for this to work, you can see an example in my draft. --Larivact (talk) 15:20, 2 December 2018 (UTC)

Restore sections

I seriously dislike Special:Diff/557837 because it makes the page less accessible and is semantically wrong. You should be able to link any section you like, it is the job of the users to look around when they were linked to a specific section. I think we neither can nor should attempt to make our articles idiot-proof by substituting sections with definition terms.--Larivact (talk) 08:01, 2 December 2018 (UTC)

The only way to make it idiot proof is to either delete this article or make it an alphabetical list - both of which are still very tempting to me. In any case, I don't think the separated tables (with sections or with definition terms) are ideal either - it's only there because pacman wrappers are broken to such an extent they need to be specifically warned against. -- Alad (talk) 11:44, 2 December 2018 (UTC)
One thing to keep in mind (and the reason for this "special treatment") is that the AUR helpers article is systematically abused to encourage help vampirism (resp. encouragement to ignore supported distribution tools) by users alike. I've restored the sections for now, but adding __NOTOC__ should be a consideration. It won't prevent copy pasting of links but might at least force the "AUR helpers are not supported" warning into view. -- Alad (talk) 11:54, 2 December 2018 (UTC)
[13], closing -- Alad (talk) 13:40, 8 December 2018 (UTC)

Remove "optional" distinction from File review

The description already says "by default", and I have no idea why we should encourage the notion of do-not-review-unless-opt-in. -- Alad (talk) 14:30, 8 December 2018 (UTC)

Yes, please change this. It's anyways describing a supported feature, the implication is that most tools likely offer you the ability to skip past. Also we can just remove the column entirely from the "search & download" helpers, surely... or mark them as not applicable rather than "yes". -- Eschwartz (talk) 05:52, 9 December 2018 (UTC)
Done & done. - Alad (talk) 12:00, 9 December 2018 (UTC)
Wait, are all these helpers don't-review-by-default? -- Eschwartz (talk) 15:23, 9 December 2018 (UTC)
Yes. (I tested the bunch of them back in the day, and I don't know of any changes since then.) -- Alad (talk) 16:22, 9 December 2018 (UTC)