Unleashing the Power of AUR in Arch Linux: A Must-Try for Every User!
Discover the AUR, an invaluable resource in Arch Linux, offering countless software packages Ensure its safety with reputation checks, package details, user comments, and examining files Protect your system by staying vigilant and contributing to the community
The Arch Linux AUR repository offers a wide range of community-driven software that can be used with confidence, provided that certain precautions are taken. Even if you are not familiar with shell scripting, there are certain indicators you can rely on to assess the safety of a package. The AUR is a valuable asset of Arch Linux, offering countless additional software packages. However, it is important to determine whether this user-driven repository is secure for your usage or if it is advisable to avoid it.
What Is the AUR?
The AUR, also known as the Arch User Repository, is a unique software repository that offers over 85,000 software packages exclusively for Arch Linux users. Unlike other repositories like core, extra, and multilib, the AUR does not host pre-built packages or binary files.
Instead, the AUR hosts package build files called PKGBUILDs. These PKGBUILDs are shell scripts that are executed by the Arch makepkg tool. When makepkg is run, it searches for a file named "PKGBUILD" and if found, it follows the instructions provided within to generate a software package archive on your computer. If you have experience with compiling software using command line tools, you can think of a PKGBUILD file and makepkg working together in a similar manner to a MAKEFILE and the make utility.
The PKGBUILD instructions retrieve the necessary source code files and other required files for creating the package archive. The pacman tool is then automatically invoked to install the software from the package archive.
It should be noted that certain AUR packages may provide pre-compiled binaries, although these binaries are not hosted within the AUR itself. Instead, they are stored elsewhere on the internet. The AUR entry for such packages solely contains a PKGBUILD file responsible for downloading the pre-compiled binary to the user's computer.
The Arch User Repository (AUR) is a unique feature of Arch Linux that allows any user to create a PKGBUILD for a software package they wish to share with other Arch users. These packages can be either open source or closed source, and can even include commercial software. If a package in the AUR receives enough user votes, it may be promoted to the community repository, which is a regular repository for Arch Linux users.
The issue with the AUR becomes evident when you simplify it to its core. Essentially, it consists of scripts sourced from various users on the internet, who expect you to execute them on your computer.
To address the potential risks, uploaded scripts undergo scrutiny by qualified and reputable volunteers known as trusted users. These individuals thoroughly examine and test the PKGBUILDS, eliminating any that may include hazardous errors or malicious intentions.
The Dangers of Using the AUR
Occasionally, even with the utmost care from reliable users, certain things can slip through the cracks. In 2015, Valve Software's Steam script inadvertently deleted users' home directory if they had previously relocated the Steam directory to a different location.
In 2005, a disturbing incident occurred when an orphaned AUR package fell into the hands of a new maintainer who intentionally injected malicious code into the PKGBUILD file. Although such occurrences are rare and outdated, it is essential to remain vigilant as similar incidents could potentially arise again.
It is worth noting that if you possess the necessary expertise, you have the option to examine the contents of the PKGBUILD file on your own. The AUR's transparency offers this advantage, but it requires a solid understanding of scripting to fully utilize it. Additionally, it is important to consider that if the package incorporates a significant amount of application source code, it should ideally undergo thorough scrutiny as well.
When using the AUR, there are additional risks related to the distribution being used. Some Arch-based distributions may not be compatible enough with the AUR to ensure smooth functioning. The AUR expects to be installed on genuine Arch Linux, which is fully patched and updated. For instance, even though Manjaro is Arch-based, it does not provide official support for the AUR.
However, if your distribution does support the AUR, there are measures you can take to ensure its safe usage, regardless of your understanding of source code and shell scripts.
AUR Safety: Check the Package Details and Reputation
Even without code reviews, there are steps you can take to help you decide whether you can trust an AUR package.
Find Your Package on the AUR
Each package in the AUR has its own dedicated page where you can find detailed information about the package, including its description, dependencies, and other relevant details. To begin your research, access the AUR website and search for the specific package you are interested in.
What Is Its Reputation?
Packages are subject to user voting, and each package is assigned a popularity score. The greater the number of votes and the higher the popularity score, the more favorable the package is considered. This indicates that the package has gained recognition and is extensively utilized. In essence, it is regarded as a reputable package.
The reputation of the package is a good indication of its trustworthiness. The more people who use it, and vote for it, the more comfortable you can feel about using it.
Check The Activity Dates
In the “Package Details” section, you can find the votes, popularity score, and two dates associated with the package. One indicates the initial introduction of the package into the AUR, while the other denotes the most recent update of the package.
The “Last Updated” date will tell you whether the package is being actively maintained. Packages that have been dormant for a long time should be treated with caution.
Is the Upstream URL a Valid Location?
Also check the “Upstream URL” and verify that it goes to a valid web page or code repository for the package or project. If it doesn’t, something’s wrong.
Read the User Comments
Take a look at the user comments located at the bottom of each AUR page. These comments may span across multiple pages. Observe the opinions and inquiries of other users regarding the package. Additionally, explore the solutions provided for any issues that have been brought up. Are there any recent comments? Is there still an active user community for this particular package?
Register and Participate
By registering on the AUR and setting up a complimentary account, you gain the ability to leave comments and pose inquiries. Additionally, make the most of other platforms such as forums and subreddits to seek information regarding the package.
Even if you don’t understand shell scripts, there’s still a couple of things you can check.
Check the Contents of the PKGBUILD and Other Files
In addition to using a command line "AUR helper" like yay, another method to access the AUR is through a hands-on, manual approach.
Effective AUR helpers allow you to examine the PKGBUILD file and halt the installation if desired. Alternatively, in the manual process, you can search for the package on the AUR, download the PKGBUILD file, and inspect it before proceeding. After reviewing and being satisfied with its content, you can manually run makepkg to proceed with the installation.
Installing at least one package manually is highly recommended in order to understand the underlying mechanics of the AUR helper. To illustrate this, we can take the example of the yay AUR helper.
The package was initially submitted in 2016 and its most recent update was in May 2023, making it a very recent update as of now. Another noteworthy aspect is that the original submitter, the current maintainer, and the last person to package the software are all the same individual. This continuity in ownership and involvement is a positive indication.
To copy the Git Clone URL, simply click on the link provided in the "Package Details" section. Open a terminal window and type "git clone" followed by a space. Then, press Shift+Ctrl+V to paste the URL onto the command line. Finally, press "Enter" to initiate the download process.
git clone https://aur.archlinux.org/yay.git
When the download is complete, change into the new “yay” directory.
cd yay
Let’s see what files we have.
ls
There’s a single file, the PKGBUILD file. Often there are one or two additional helper files. Look through those too. We’ll use less to read our single file.
less PKGBUILD
What URLs Does the PKGBUILD File Use?
A properly structured PKGBUILD file, which adheres to conventions, will utilize variables to store the URLs it requires. This approach helps maintain a concise list of the URLs at the beginning of the file, which the PKGBUILD will utilize. In the present scenario, there is only a single URL.
This package appears to be secure as it directs us to the yay project's GitHub page, which is owned by the same user listed as the maintainer on the AUR page. These factors provide reassurance about its safety.
But we’ll carry on and look a little deeper.
Look For Download Commands
Check for occurrences of wget or curl in the file using the search feature. These tools are commonly utilized for fetching remote files. However, a properly designed PKGBUILD should not require such actions.
If you come across any instances, consider it a warning sign and refrain from installing the package until you can confirm its safety. Take a closer look at the URLs referenced in the wget or curl commands. Do they appear to be genuine and relevant to the package?
If you receive verification from a reliable source that the PKGBUILD is reliable, even if it deviates from the usual conventions, you may still opt to proceed with the installation.
Look For rm, mv, and Other Dangerous Commands
There is no requirement for a PKGBUILD file to include commands such as rm or mv, and it should not reference anything in the "/dev" directory. If the PKGBUILD directly invokes pacman or makes mention of systemctl, systemd, grub, or any other critical system component, it is advisable to consider the PKGBUILD file as potentially hazardous and avoid executing it.
Even if you are not familiar with shell scripting, you can still follow the steps we have outlined. However, if you do have some knowledge of shell scripting, you can examine the actual code within the PKGBUILD file.
People who write malicious code often attempt to conceal their intentions by using obfuscation techniques. They employ concise and cryptic syntax, making it difficult to understand their true purpose. If you come across any lines of code that involve redirection or utilize sed or awk commands, it is advisable to consider them as potentially suspicious.
Be Wary of Obfuscated Code
Copying and pasting these lines into an online parser like explainshell.com will unpack them, allowing you to understand what they actually do. If you encounter a complex arrangement of brackets, semicolons, and ampersands, it is advisable to use an online parser to verify if you have correctly interpreted the purpose of the code line. However, code that is difficult to comprehend is generally a warning sign.
PKGBUILD compiles and builds occur within a chroot environment, which serves as an isolated mini file system. This environment allows developers to sandbox processes by restricting their access to the overall file system of your computer and limiting their interaction with other system commands.
If the PKGBUILD is directly manipulating your home directory, treat that as a warning flag. Ensure you fully understand what it is doing before you decide to run it.
You Can Help Other AUR Users
If you come across a package that has a widespread reputation and is widely used, you can generally trust its reliability. The large user base ensures that any problems or glitches are identified and reported promptly. By actively reporting any issues you encounter and giving positive ratings to reliable packages, you can contribute to enhancing their credibility.
However, if you encounter an issue with a package that dissuades you from installing it, you may find yourself in a tricky situation if you still require its functionality. In such cases, seeking recommendations from online forums can be a helpful approach to find alternative packages that can fulfill your specific requirements.
Linux usually has many ways to skin any given cat.
