One of its biggest strengths is packing proprietary stuff that can’t be redistributed and using custom download clients.
You can share the PKGBUILD, but not the resulting package. Back in the early Humble Bundle days there were packages to install games from there with dependencies and everything; with a special downloader that could download the installers with a custom downloader and supplied credentials
The developers themselves are often not the package maintainers. Before a package is published or updated in one of the official Arch repos, it has to be built, tested, and sometimes patched (which is why you see a -1, -2, etc. appended to the package version), in order to work correctly not just on its own but in an Arch system with Arch packages that it is likely to encounter. The process is not as thorough as Debian for example, but it’s still the responsibility of the package maintainer. If the package is still in early development, deprecated (e.g. wine32), an out-of-tree kernel module (e.g. xpadneo-dkms), or is meant to be built from the latest available commit (any number of *-git packages), the AUR is a convenient way to share PKGBUILD files rather than have the user build the software manually based on a readme, if it even includes build instructions. The PKGBUILD is then ingested by makepkg, which both configures the environment and builds the software, and outputs a package that can then be installed and managed by Pacman.
The caveat is that packages built from the AUR are not vetted by any package maintainers. They can have bugs, they might depend on outdated or no-longer-existent packages, or might contain malware.
it makes sense to me. remove as much friction from the publishing process as possible, so you get a huge amount of packages. this incident just shows they removed a little too much.
there are so many niche packages on the aur useful to so few people that nobody would go through the official process to properly package, test, and maintain them.
for example: vscodium is a fork of vscode, but microsoft disables the marketplace for it. the vscodium-marketplace package from the aur adds it anyway. i don’t think any regular repos have these kind of hacks and patches available.
I found it kinda funny that enabling the marketplace in VSCodium was your example here, given how much of a vector for malware that is itself. It’s malware all the way down.
You can download .vsix extensions from the marketplace and import them into VSCodium manually just FYI. And it won’t auto update so it will save you next time a supply chain attack inevitably hits and starts infecting new versions. Assuming the downloaded version isn’t infected in the first place of course.
It just seems odd to me if there is no maintenance why not just build a package yourself from the devs provided source code? Maybe I’m just an old man but it seems without the on going maintenance it would be about the same as for example using buildpackage and apt-build on Debian but that is a local repo for just me. So if something goes wrong it only affects me not the whole internet.
Not to discredit your point about the AUR as I use it plenty myself but for this specific case is there a reason to use vscodium on arch since they ship code as an official package which has a marketplace?
Iirc, isnt that just a build right out of the ms repo? So all the telemetry would still be there by default, which vscodium removes. If I am remembering right, that would be the best reason IMO.
I don’t really use either (outside of work scenarios where its going to be regular VSCode on windows anyway), just going off memory here, so I’d need to check too.
Doing a bit of looking, per vscodium folks:
They are very similar. Code-OSS is what you get when you build vscode from source. VSCodium is essentially just a build script that automatically builds from source when MS cuts a new release and then uploads the binaries here to GitHub. In that sense it is mainly to save time.
Additionally, VSCodium turns off telemetry in the build process, and rewrites some of the deeply nested telemetry URLs to go nowhere in case something in the codebase tries to send info back to MS. So that is a small difference that a standard build of Code-OSS would not have unless it was done manually.
I’m not sure how the packaging was done to get Code-OSS into Arch, so it’s possible there are other differences with the Arch version specifically.
AUR is a repository for source packages (in Arch it’s called PKGBUILD) from users. You can write PKGBUILD yourself or just download it from AUR if someone already made it.
I’m not going to lie the aur never made sense to me. If you are going to go to all that trouble why not just package it. Source packages are a thing.
One of its biggest strengths is packing proprietary stuff that can’t be redistributed and using custom download clients.
You can share the PKGBUILD, but not the resulting package. Back in the early Humble Bundle days there were packages to install games from there with dependencies and everything; with a special downloader that could download the installers with a custom downloader and supplied credentials
The developers themselves are often not the package maintainers. Before a package is published or updated in one of the official Arch repos, it has to be built, tested, and sometimes patched (which is why you see a
-1,-2, etc. appended to the package version), in order to work correctly not just on its own but in an Arch system with Arch packages that it is likely to encounter. The process is not as thorough as Debian for example, but it’s still the responsibility of the package maintainer. If the package is still in early development, deprecated (e.g.wine32), an out-of-tree kernel module (e.g.xpadneo-dkms), or is meant to be built from the latest available commit (any number of*-gitpackages), the AUR is a convenient way to share PKGBUILD files rather than have the user build the software manually based on a readme, if it even includes build instructions. The PKGBUILD is then ingested bymakepkg, which both configures the environment and builds the software, and outputs a package that can then be installed and managed by Pacman.The caveat is that packages built from the AUR are not vetted by any package maintainers. They can have bugs, they might depend on outdated or no-longer-existent packages, or might contain malware.
it makes sense to me. remove as much friction from the publishing process as possible, so you get a huge amount of packages. this incident just shows they removed a little too much.
there are so many niche packages on the aur useful to so few people that nobody would go through the official process to properly package, test, and maintain them.
for example: vscodium is a fork of vscode, but microsoft disables the marketplace for it. the
vscodium-marketplacepackage from the aur adds it anyway. i don’t think any regular repos have these kind of hacks and patches available.I found it kinda funny that enabling the marketplace in VSCodium was your example here, given how much of a vector for malware that is itself. It’s malware all the way down.
You can download .vsix extensions from the marketplace and import them into VSCodium manually just FYI. And it won’t auto update so it will save you next time a supply chain attack inevitably hits and starts infecting new versions. Assuming the downloaded version isn’t infected in the first place of course.
It just seems odd to me if there is no maintenance why not just build a package yourself from the devs provided source code? Maybe I’m just an old man but it seems without the on going maintenance it would be about the same as for example using buildpackage and apt-build on Debian but that is a local repo for just me. So if something goes wrong it only affects me not the whole internet.
Not to discredit your point about the AUR as I use it plenty myself but for this specific case is there a reason to use vscodium on arch since they ship code as an official package which has a marketplace?
Iirc, isnt that just a build right out of the ms repo? So all the telemetry would still be there by default, which vscodium removes. If I am remembering right, that would be the best reason IMO.
https://gitlab.archlinux.org/archlinux/packaging/packages/code/-/blob/main/PKGBUILD
Seems like it, but isn’t that the same what vscodium does? https://github.com/VSCodium/vscodium#why-does-this-exist
Unless i am misunderstanding?
I don’t really use either (outside of work scenarios where its going to be regular VSCode on windows anyway), just going off memory here, so I’d need to check too.
Doing a bit of looking, per vscodium folks:
AUR is a repository for source packages (in Arch it’s called PKGBUILD) from users. You can write PKGBUILD yourself or just download it from AUR if someone already made it.