Re: Adapt yaourt to honour Artix' repositories?
Reply #6 –
Frankly, yaourt is a convenience wrapper for people who have no real clue what they are doing.
The reason you should not use yaourt, you basically compile sourcecode in blind trust it won't do harm.
The AUR is not protected from people uploading packages that compile malware.
I know. I am aware of the risk.
makepkg does not protect from this either, unless you look at the source. (But who does, really?)
Looking at the PKGBUILD and install=-files is in turn easy with yaourt, too.
Giving that, what should me make trust the official repositories more? That there is not some malicious code put somewhere, more or less hidden, maybe directly in upstream?
.. well, and when I use yaourt just to get PKGBUILD and associated files from Arch Linux/ Artix upstream, and not from the AUR, I will not interact with the AUR at all.
And that was my use case. Packages which are provided in some repositories, and not in the AUR, where I have a customizepkg-hook for them, to be taken care of somehow automatically during an update, and then not fetching the precompiled binary from that repository but the source build recipe (PKGBUILD etc.) from _the same_ repository, not the AUR.
The only thing I will mostly miss then are the signatures.
Given the last sentence: PKGBUILD has also support for source file signatures, and for example extra/ffmpeg also supports it. From the PKGBUILD downloaded with yaourt -G extra/ffmpeg:
source=("https://ffmpeg.org/releases/ffmpeg-${pkgver}.tar.xz"{,.asc}
'fs56089.patch')
validpgpkeys=('FCF986EA15E6E293A5644F10B4322F04D67658D8')
So, where do I have more security problems when I let yaourt download and build extra/ffmpeg compared to when I just download and install the prebuilt package with pacman -S extra/ffmpeg?
Given that, not all packages provide validpgpkeys, for example extra/kate (where I also have a customizepkg-hook for).
But I am slightly wondering, you say you have limited data transfer, but you run a rolling release distro?
System update only every now and then. A few weeks to a few months. When I have quick connection somewhere and the time to deal with it (since every update does potentially break something).
I have unlimited data, but usually on sth. like 40 kbit/s.
Individual packages without system update I install sometimes (knowing that it is strongly discouraged and might not work out).
How come you can't clone a small git repo once, but you update your rolling release regularly?
No one said that I update it regularly
.
OK, I got it. I don't need to update the git repo more often than I need to make a system upgrade. Right.
And I mis-thought something there, because I was not relly thinking of it, just reacting affectionate: Thinking of having to clone all the sources of all the packages, which is much more data than the subset of packages I have installed on my system. But it is just the git repo containing the package's build recipes. Thanks for that last sentence from you, which corrected my thinking on that.