AUR is cool... but scary - eviltoast

Last night while updating my system, I noticed that a random aur package my system depends on was orphaned in the aur. It’s some random deep-down dependency of another AUR package, and it’s not received any upstream commits in a while. Nice and stable, just needed an owner. I decided to adopt the package before someone else did.

It was kinda scary how simple it is to adopt an orphaned package. Create AUR account… click an email link… Done. If someone wanted to squat the package for malicious purposes, it would be stupidly simple.

I get that this is a problem for all community repos, not just AUR (npm, anyone?), but it’s still an unsettling prospect. I feel like it goes unacknowledged some times.

  • PdeT@feddit.nl
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    This is something that I still need to learn about. What is a good starting point to learn how to read them?

    • forgotmylastusername@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It’s a shell script. Somebody wrote down the shell commands to download, extract, compile from source code. If you can do shell stuff then you’re about 1/2 way there. If you’ve ever manually compiled from source code then you’re all the way there pretty much.

      It’s quite simple since there isn’t any other abstraction to learn than what many Linux users already know. Shell commands and compiling stuff.

      Probably the one thing that might be foreign is variable and functions of shell scripting.