[aur-general] AUR no more extracting source tarballs ( was: Upgraded AUR to 1.8.0)

Dieter Plaetinck dieter at plaetinck.be
Mon Feb 21 07:46:33 EST 2011


On Mon, 21 Feb 2011 12:19:08 +0100
Lukas Fleischer <archlinux at cryptocrack.de> wrote:

> > > Moreover, I've heard of some encoding issues with users just
> > > copy-pasting files from the AUR frontend.
> > 
> > this is kindof vague. "encoding issues"... issues at AUR side or
> > client side? if the former, that would be a bug that could get
> > fixed.
> 
> I'm not sure. Probably both. It's obvious that if you copy and paste
> something from your browser, it won't be exactly the same as in the
> original tarball.

it's not obvious to me. Am I missing something?  AFAIK, I should really
get the same contents of text files pasted on my system (maybe encoded
differently but that doesn't matter) provided all the characters shown
can be decoded and encoded on my system. (and if that's not possible,
then it's up to the user to configure his locales properly)
Either way, like I said, the use case for showing files is more about
previewing then aiding the building process.

> 
> > > Generally, everyone should download and use the tarballs to build
> > > packages.
> > 
> > Yes, but I'm not talking about building packages, I'm talking about
> > getting a quick idea of what the package contains and how it gets
> > built/installed. for that, the "files" previous was very useful.
> 
> How often do you do that? Why don't you just download the tarball and
> check its contents? I also can't imagine a lot of cases where the
> PKGBUILD preview doesn't give you an idea of what a package does.
> 
> If there really is need for such a thing, I'd also say this is
> something to do on the client side. AUR helpers might want to
> implement this. Or you can just check the cgit interface of the
> unofficial Git clone of the AUR [1].

Well, the problem is, if it would be all about the PKGBUILD alone,
there would be no problem.  But the mere fact that an aur
contributor needs to upload source tarballs suggests there could be
more stuff in there (install files, licence files, or even "dirtier"
stuff), I could indeed look at the PKGBUILD but then I would need to
inspect all the source code of the PKGBUILD which is much more mental
work, which I try to avoid when I just want to get an idea of "what
does this package contain"

the reason I do this through the AUR webinterface is.. well, because
there is a web interface. it's a bit cumbersome that I can do the
package searching, looking at comments, looking at package info, ... in
the webinterface, but not getting an idea of the contents of the source
tarball.

Maybe another point which is interesting to think about: you mentioned
it would take several security precautions in AUR to prevent malicious
source tarballs.  By not doing this in AUR itself, doesn't that mean
that every single AUR frontend should support this?
If, as a user, I want to look at the source package, my aur client
needs to fetch it, and extract it but it will need to do all those
precautions you mentioned before.  If AUR would take care of that,
clients could be simpler.

Dieter


More information about the aur-general mailing list