Deprecate yaourt?

I just read:

which links to:

https://wiki.archlinux.org/index.php/AUR_helpers#Comparison_table

This all appears to indicate yaourt has a vulnerability in that it sources the remote PKGBUILD before presenting it to the user for checking. This gives anyone who submits an AUR package the ability to run scripts on your machine before you check the file.

So - should yaourt be deprecated until it is "fixed"?

Also, are pamac and octopi vulnerable to the same thing (which can be much be worse if they are run as root)?

3 Likes

if I remember octopi run yaourt as user in a terminal when we install an AUR package.

1 Like

i have recently seen this comparison table, too. it is kind of frightning. since then, i am playing around with pacaur. i have the impression that yaourt's development is focused on the colors and its "GUI". pacaur gets actively developed under the hood, but it is a little less comfortable and has less colorful output.

i think the biggest hurdle for beginners would be:

yaourt <search term>
pacaur -Ss <search term>

personally, i would be fine with a switch to pacaur.

But also still before you enter your sudo password, so, no privileges escalated, right?

Only as user, yes.

Else:

Please note that pacaur is targeted at advanced users only. You, user, are expected to be familiar with the manual build process as well as being knowledgeable about pacman, sudo and gpg configuration.
If you are not a makepkg wizard already, help yourself with the wiki and stay away from this helper!

(edit)
Source : pacaur (AUR)

Mayby is better to Make Manjaro Community Repository :stuck_out_tongue: but thats bit off talk because sence of do has nothing to do for now i gues... External like AUR is always vulnirable you should and must know the risc a bit. nomather which thing you use, there is always a risk. as example you dont read the PKGBUILD and there it is :slight_smile:

Actually we have been told from time to time that installing packages from AUR is unsafe. Yes, yaourt fetch pkgbuild remotely, but it always asks if you want to edit it or not. I personally never check any pkgbuild from AUR before I encounter problem installing it, I'm just too lazy and so with lots of us here. :slight_smile:
My opinion is to stay away from AUR as far as you possibly can, just install when you really need it. And also, check the votes and the age of the package you want. If the package is in AUR since 5 years ago and still maintained and alive, it means it has passed through thousands of Arch gurus for 5 years right :wink:
But always install from official repo if it's there, ask yourself if you really need a git version of it which is usually just some version bumping or minor changes. Just my 2 cents :slight_smile:

2 Likes

No need to deprecate yaourt. In fact, it's the most secured user level package manager. Much much much safer than PPA or any other freely hosted-anywhere user repository, because it has central repository monitored by both users and administrators, even if the monitoring doesn't happen right away and first victim will be there, who CAN and SHOULD apply for package deletion, so the administrators can check right away.

Well, it leaves only 3 logical choices if deprecated:
aurutils, bauerbill, pacaur.
And out of those the best candidate I see is pacaur.

Just my 2 cents worth on the subject.

If it can hook into your shell it becomes your shell and can (AFAIK) intercept anything from that process from that point on. By the time you read the file it could have done any number of things.

PKGBUILD files are shell scripts so I can imagine a situation where the PKGBUILD does something nasty then presents a totally different one for you to read.

You know I'm talking about yaourt and not the AUR, right? If yaourt is sourcing any PKGBUILD from a site that does not require any checking prior to an upload then yaourt is not secure.

Why that three? This is the Development category - you need to provide facts to back up your "2 cents".

Octopi seems to works fine with pacaur.

The best and most secure way would be to download the PKGBUILD manually from AUR and then run makepkg.
But yaourt is definitely much easier to use. I also try to avoid installing packages from the AUR as much as possible, but sometimes you just need an app that is not available in the repos, and then yaourt comes in handy.
For instance, I need a color management wrapper for i3 and colormgr, and xiccd is only available in AUR iirc. "yaourt -S xiccd" and it's installed. It's just more appropriate for lazy users like me.

Yaourt might be insecure, but I've yet to see its shortcomings actively exploited. So no deprecation advice from my side yet.

Aura-bin with abs dependency dropped might also be a good option. It also has nice option to roll back updates and downgrade aur packages (it exports built packages to pacman cache).

However, pacli also supports pacaur as aur backend, so it would take less maintenance if we chose that.

This isn't quite the point. :wink:

This isn't a reason to ignore the possibility.

Of course it isn't. We shouldn't worry that much though.
Pacaur looks like a decent alternative, I'll definitely try this one out. A possible candidate to replace yaourt maybe?

Can pacaur be used as a direct replacement for yaourt with octopi, or does some additional configuration need to be done?

Best regards.

once pacaur is installed. (from AUR)
octopi will use it.
I did not checked which one it will use if both are installed (pacaur and yaourt), but if yaourt isn't present it will use pacaur without any additional configuration.

Thank you @scachemaille, I am going to give it a try.:slight_smile:

Best regards.

i have yaourt and pacaur
octopi(-git) use pacaur :slight_smile:

Are there any feature/syntax differences between yaourt and pacaur?

If not, I'd be willing to switch if pacaur is more secure.

Forum kindly sponsored by