Skip to main content
Topic: Octopi and Pamac moved to [universe] (Read 14353 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

Octopi and Pamac moved to [universe]

Due to major issues occurring for users as a result of using some AUR helpers, it has been decided to remove Pamac and Octopi from our repositories. We know some users liked using these tools, but unfortunately the havoc they keep creating outweighs their benefits.
artist

Update 25-Oct-2021 18:40 (CET) :
To accommodate for the wishes of the users who expressed their preference to have paman and octopi provide by Artix, these have now been added to the - not officially supported - universe repository. A clear warning and disclaimer are displayed when installing or upgrading these packages:
Code: [Select]
>>> THIS TOOL IS NOT SUPPORTED BY ARTIX (NOR BY ARCH)
    THE USE OF AUR HELPERS CAN RESULT IN A BROKEN SYSTEM
    MAKE SURE TO HAVE A VALID BACKUP FIRST AND USE AT YOUR OWN RISK

Re: Octopi and Pamac removed from repositories

Reply #1
pamac was the problem. Not sure about octopi. It has "auto suggestion" built in as well?

Re: Octopi and Pamac removed from repositories

Reply #2
Due to major issues occurring for users as a result of using some AUR helpers, it has been decided to remove Pamac and Octopi from our repositories. We know some users liked using these tools, but unfortunaly the havoc they keep creating outweighs their benefits.
artist
Oh noes, imagine the negative reviews: "It's 2021 and Artix doesn't provide a GUI package manager... die die die!"


Re: Octopi and Pamac removed from repositories

Reply #4
Looks like both octopi and pamac are available in pre-built binary form from the chaotic aur repo, which I've heard is a fairly reliable source of packages (although I haven't personally tried it nor do I use either of these package managers as a disclaimer to this statement)
https://aur.chaotic.cx/
So that could be a possible alternative for those affected by this, you'd need to enable that non-standard repo.

Re: Octopi and Pamac removed from repositories

Reply #5
Looks like both octopi and pamac are available in pre-built binary form from the chaotic aur repo, which I've heard is a fairly reliable source of packages (although I haven't personally tried it nor do I use either of these package managers as a disclaimer to this statement)
https://aur.chaotic.cx/
So that could be a possible alternative for those affected by this, you'd need to enable that non-standard repo.
See here: https://github.com/Jguer/yay/issues/880

That POC shows why having an AUR helper call a text editor on a PKGBUILD, and having a human carefully inspect said PKGBUILD, is essential for security. Also that's why one cannot trust packages from AUR, no matter what any youtuber claims.

Edit: Malware in AUR: https://thehackernews.com/2018/07/arch-linux-aur-malware.html

https://wiki.archlinux.org/title/Arch_User_Repository
Quote
Warning: AUR packages are user-produced content. These PKGBUILDs are completely unofficial and have not been thoroughly vetted. Any use of the provided files is at your own risk.

 

Re: Octopi and Pamac removed from repositories

Reply #6
The PKGBUILD inspection option is all very well, but can't a pamac user go to the aur website and look at the PKGBUILD and package source there? And even if they did, how is a noob - or even an experienced user - supposed to spot this malware anyway? Plus there is a case of what is a reasonable precaution, ie if malware appears in the AUR then someone is going to complain and take it down, but that is always going to take a time to happen - and you can equally be at risk from malware in all other kinds of situations. You link to github and there's malware hosted on there too, but you don't need to avoid the entire website.
 What I've been thinking for a while now, (but will probably spend a lot more time thinking about it) is using antivirus software to scan the PKGBUILD, source and finished build results, because expecting a human to do all that every time they update is a pretty pathetic security procedure in practice unless they are a cyborg or something.
pamac did break for a long while after the pacman update, because it's a Manjaro project and primarily maintained to keep pace with Manjaro versions, which are well behind Artix and Arch, so it's not always the most reliable option though, octopi was fixed faster.
So far as the decision to remove these from the Artix repos go, I totally respect whatever decision the maintainers make, I was merely suggesting a workaround, and I hope anyone who looked into that takes your points on board too.

Re: Octopi and Pamac removed from repositories

Reply #7
And even if they did, how is a noob - or even an experienced user - supposed to spot this malware anyway?
That is exactly the point. Experienced users will be able to spot if anything is wrong with the package, provided they carefully inspect it. Newbies won't. There is also the matter of someone making an unintentional mistake in the PKGBUILD, and damaging the user's system. Curating takes resources: manpower and time, and it is next to impossible to do on an ever-changing system such as AUR.

AUR helpers are programs to whom the user gives complete control over its system, and they are given instructions by a random person on the Internet. It should be easy to see how that can go very wrong very fast.

Artix additionally breaks away with systemd, which is assumed on Arch, so even seemingly well-behaved packages in AUR can create potentially unexpected problems.

You link to github and there's malware hosted on there too, but you don't need to avoid the entire website.
One also shouldn't ultimately trust it as a reliable source of software.

Everyone is, of course, free to install whatever one wishes, but they are then on their own; official support shouldn't be expected.

Re: Octopi and Pamac removed from repositories

Reply #8
Oh noes, imagine the negative reviews: "It's 2021 and Artix doesn't provide a GUI package manager... die die die!"

 ::)
Beginning with next weeks builds, only the community editions will offer GUI package managers.
:)
... We know some users liked using these tools, but unfortunaly the havoc they keep creating outweighs their benefits.
artist
???

No comments! :(
System:  Kernel: 6.4.10-artix1-1 , KDE Plasma 5.27.7, HP Spectre x360 Convertible 13-ae0xx
Dual Core  i7-8550U bits: 64
8 GB Ram - SSD:  (250 GiB), BTRFS

Re: Octopi and Pamac removed from repositories

Reply #9
The PKGBUILD inspection option is all very well, but can't a pamac user go to the aur website and look at the PKGBUILD and package source there? And even if they did, how is a noob - or even an experienced user - supposed to spot this malware anyway? Plus there is a case of what is a reasonable precaution, ie if malware appears in the AUR then someone is going to complain and take it down, but that is always going to take a time to happen - and you can equally be at risk from malware in all other kinds of situations. You link to github and there's malware hosted on there too, but you don't need to avoid the entire website.
 What I've been thinking for a while now, (but will probably spend a lot more time thinking about it) is using antivirus software to scan the PKGBUILD, source and finished build results, because expecting a human to do all that every time they update is a pretty pathetic security procedure in practice unless they are a cyborg or something.
pamac did break for a long while after the pacman update, because it's a Manjaro project and primarily maintained to keep pace with Manjaro versions, which are well behind Artix and Arch, so it's not always the most reliable option though, octopi was fixed faster.
So far as the decision to remove these from the Artix repos go, I totally respect whatever decision the maintainers make, I was merely suggesting a workaround, and I hope anyone who looked into that takes your points on board too.

I tend to agree with this and, while not wishing to water down the warnings given in other posts above, I feel as long as the user is armed with the necessary warnings, it is his or her ultimate decision to use or not use the AUR.

I have used it in the past and am fully aware of the risks, and certainly would not blame Artix if I broke my system!

Re: Octopi and Pamac removed from repositories

Reply #10
Pamac is a bad choice by any means it does not follow Arch it just a hotch potch program by Manjaro and fails on their own system let alone Artix or any Arch based system  ;)

Re: Octopi and Pamac removed from repositories

Reply #11
Many users use the AUR like they are used to from Windows. I need software X, so I download it from somewhere without questioning what it might contain. It's all nicely automated, requires no independent thinking, no work, click, click, click and done.

Re: Octopi and Pamac removed from repositories

Reply #12
I tend to agree with this and, while not wishing to water down the warnings given in other posts above, I feel as long as the user is armed with the necessary warnings, it is his or her ultimate decision to use or not use the AUR.

I have used it in the past and am fully aware of the risks, and certainly would not blame Artix if I broke my system!
I agree with you. PLUS some packages are available only on AUR. I'm not sure exactly what but I think for example Google Chrome.
And still, with or without pamac, users can install from AUR. So, the only difference is command line vs GUI.
Linux is all about freedom and choice.
So, why limit user?!
System:  Kernel: 6.4.10-artix1-1 , KDE Plasma 5.27.7, HP Spectre x360 Convertible 13-ae0xx
Dual Core  i7-8550U bits: 64
8 GB Ram - SSD:  (250 GiB), BTRFS

Re: Octopi and Pamac removed from repositories

Reply #13
Linux is all about freedom and choice.
So, why limit user?!
pamac will do things like replace Artix packages with Arch packages, remove packages you didn't tell it to, etc. When that happens, you are on your own, don't expect help.
Everyone is, of course, free to install whatever one wishes, but they are then on their own; official support shouldn't be expected.

Re: Octopi and Pamac removed from repositories

Reply #14
pamac will do things like replace Artix packages with Arch packages, remove packages you didn't tell it to, etc. When that happens, you are on your own, don't expect help.
OOOPS! I never thought of this. But does this mean that using AUR with command line is OK? Mainly for things like Dropbos, google chrome,... etc.... not just any not well known packgae?
System:  Kernel: 6.4.10-artix1-1 , KDE Plasma 5.27.7, HP Spectre x360 Convertible 13-ae0xx
Dual Core  i7-8550U bits: 64
8 GB Ram - SSD:  (250 GiB), BTRFS