Remove yaourt from [archlinuxfr] repo

[rmarquis]

This is not about the code, but this is still an important issue nonetheless.

The AUR is unsupported, and as such AUR helpers aren't provided in the official or community repositories. The global consensus is that Arch users should learn to build manually with makepkg before using an AUR helper. Yaourt is currently provided as pre-compiled package in the [archlinuxfr] repository and should be removed.

• Although all other AUR helpers developers avoid to provide helpers as binary for the above reason, the [archlinuxfr] repository makes it possible to bypass these steps by providing yaourt too easily. As a result, it is extremely common to see people using yaourt while they don't have the necessary basic knowledge to solve unexpected issues. This is especially true when the libalpm is updated and the official #archlinux channel is literally flooded by beginners that have no clue about the way to easily fix the upgrade.
• Also, providing yaourt in a binary repository not only bypasses the manual AUR steps for yaourt, but also for all helpers. I've seen people installing yaourt from [archlinuxfr] only for the sake of installing another helper right away.
• Moreover, beginners using the [archlinuxfr] repository are usually not aware that adding a third party binary repository will always take priority over the AUR, which always includes the newest version of the packages found in [archlinuxfr] repository. This can lead to a not up-to-date system, and in the worst cases even a partial upgrade scenario. Many of the packages provided in the repo are currently not up-to-date, and the repo will always lag behing the AUR.
• Furthermore, if beginners should not use the [archlinuxfr] repository for installing yaourt for the above reasons, advanced users don't need it either. Unless users are actually interested in the other packages of that repository and are well aware of the consequences of using it, there is no reason to use it. In any cases, yaourt shouldn't be provided.
• The [archlinuxfr] repository is provided by the archlinuxfr sub-community, but it is the global Arch Linux community that has to face the consequences of including yaourt as binary. I'm sure many regular users of the official irc channel would agree that the [archlinuxfr] repository has become one of the most hated "feature" of yaourt for the above reasons.
• Removing all [archlinuxfr] references from the official wiki is not enough. The [archlinuxfr] is so well known that instructions extends to bad advice on IRC, blog posts and additional piece of work. I've seen this advice from a beginner to another in the official channel just a few days ago, and many times more in the past:

< xxxx> add the archlinuxfr repo (see in wiki) and yaourt should work

Also, see this infographic targeted at beginners and recently published in the archlinux subreddit.

Granted, users should know what they are doing. In practice, this is not always the case, especially when users are beginners. Providing yaourt as a binary in the [archlinuxfr] is simply stupid, or even plain irresponsibility from the archlinuxfr sub-community and a disservice done to the archlinux community as a whole.

Note that it seems the archlinuxfr developers are aware of that issue, but they've never done anything to remedy the situation. Hopefully this ticket could bring this long time issue forward, and will motivate the involved parties to actually do something.

TL;DR: including yaourt in [archlinuxfr] is a disservice to the community, please remove it.

[Skunnyk]

Hi,

Yup, I am agree about most of your arguments. Yaourt is in the [archlinuxfr] since the beginning, but I know that it's a more or less hated feature, even if lots of capable users use this repo for facilities. As you pointed it, removing it from the binary repo is one of my hesitation now that I take care of it.

In a first step, I removed note about the installation from the repository from https://archlinux.fr/yaourt-en and the french wiki. The https://wiki.archlinux.org/index.php/Yaourt wiki already removed the [archlinuxfr] repo.

[rmarquis]

Thank you! I'm looking forward to seeing it removed!

[variablenix]

So what does this mean - that yaourt will no longer be available because one person has issue with it in [archlinuxfr] ? I don't understand the rationale here. From what I can tell yaourt is 425 lines of bash, not a pre-compiled binary.

[sector-f]

Basically the (alleged) issue is that having yaourt in the [archlinuxfr] repository makes it too easily-installed; a user can just add [archlinuxfr] to pacman.conf and the install yaourt with pacman -S rather than installing it through the "standard" method of installing AUR packages.

Except [archlinuxfr] is completely unofficial. It's a third-party repository.

You know what I would call a "disservice to the community?" Trying to police what other people put in their own repositories.

[GabMus]

I don't agree with you. [archlinuxfr] is a community repo and it's not officially supported as you said. Therefore anything that this repo adds shouldn't be a concern of the Arch community, but solely of the end user that decides to add it. Blaming this repo for what inexperienced users do is pointless.

[Mikaela]

Archlinuxfr sounds confusingly official having the name Arch Linux in it. I agree with removing yaourt from there in any case, but renaming the repo could also avoid confusion.

[GabMus]

I don't like the word pancake because since it contains the world cake it sounds like one, but it isn't and I get confused. And asking to change the name of a repo so consolidated sounds like a bad idea to me.

[lordmythus]

archlinuxfr is not an official repo. you cannot tell people to remove things from their repo. they have the power and freedom to put what they want in their repo just like a user of arch Linux has the power and freedom to add whatever repo they want to their system. if their system is hosed because they added a questionable repo, it is their fault and was their choice to do so.

what's next, demanding antergos to remove yaourt from their special repo?

[Freso]

Nobody is telling (or demanding of) anyone to remove anything from their repository.

Someone is asking to have a package removed as having that package in the repository causes disruption in official channels, which leads to irritation for both people trying to help as well as people seeking help (as they're unknowingly seeking help in the wrong place).

The repository maintainer(s) is/are free to heed or ignore this request.

[mrunion]

I agree with removing it. If you want to run Arch, learn it before you automate away some really-needed knowledge. If you can't be bothered to learn to build packages the "Arch" way -- which can save you in a bad upgrade, etc. -- then you should probably reconsider using Arch proper. That's my opinion.

[GabMus]

While it's ok to have a recommended way of using Arch, it's pretty lame to be forced into a mindset. If I want to install apt-get on Arch and use it instead of pacman (however stupid and pointless this can be, it's just an example) I want to be able to do it without the community getting in my way. GNU/Linux is about freedom. And freedom means I can do whatever I want as long as I don't violate others' freedom, and I'm not. The way out of this argument is simply to reply to everyone asking for support on AUR or any other unofficial repo that "Arch or the official Arch community doesn't offer any support for those repos". Damn I love Arch so much but its community is so elitist and "purist". There is no "Arch way" people, there are recommended procedures at the very best. And that's how it should be. Stop fighting against windmills and focusing on real problems.

On Tue, Feb 2, 2016, 7:28 PM Matt Runion notifications@github.com wrote:

I agree with removing it. If you want to run Arch, learn it before you automate away some really-needed knowledge. If you can't be bothered to learn to build packages the "Arch" way -- which can save you in a bad upgrade, etc. -- then you should probably reconsider using Arch proper. That's my opinion.

— Reply to this email directly or view it on GitHub https://github.com/archlinuxfr/yaourt/issues/209#issuecomment-178740681.

[mrunion]

The issue is not about telling people how to use their computers. It's about adjusting their attitudes when they do.

It's usually the same people with the "I don't want to learn this, I just want it easy" attitude that are the first to open the "Yaourt/package-query doesn't work since pacman upgraded" tickets/forum posts. So in essence, the "elitist" community has to deal with many tickets from people who don't really KNOW their system.

I enjoy my freedom as well. But people shouldn't ask how to fix a system they never wanted to learn in the first place. That's my point and opinion. If that's being elitist to you, then I feel your definition is flawed. Any society has it's barriers to entry for a purpose. Not learning Arch and just asking for help when you really don't know what your doing is just leeching off people that has already spent the time. And it's my opinion this repo should contribute to that "easy entry" approach. But this is very OT for this thread.

And there IS an "Arch Way". There is a wiki article on it. It is THE mindset you are expected to share. That's the way Arch wanted it. You either agree with it or don't, but it's still there.

[f2404]

I'm feeling networkmanager is making network configuration too easy, it's hiding many details a true Linux user should know, and it's not even necessary to make it work. I'm not using it on my system. Why don't end up requesting networkmanager to be removed from the repository?

[mrunion]

That's it, I'm done! f2404, you're a Derp.

But networkmanager never caused you to bork your system like yaourt. But the Arch Way DOES require you to know how to get your system on the internet manually. So your analogy is both absurd AND wrong. Congrats on winning the Internet.

I'm out. You kids can play with your system however you see fit.

[Earnestly]

LOL

[alphaniner]

What if [archlinuxfr] contained a special build of yaourt which on first invocation displayed a reasonably detailed warning about yaourt, the nature of the AUR, etc. and a shorter warning on subsequent invocations?

[GabMus]

This sounds like a decent solution.

On Wed, Feb 3, 2016, 12:09 AM alphaniner notifications@github.com wrote:

What if [archlinuxfr] contained a special build of yaourt which on first invocation displayed a reasonably detailed warning about yaourt, the nature of the AUR, etc. and a shorter warning on subsequent invocations?

— Reply to this email directly or view it on GitHub https://github.com/archlinuxfr/yaourt/issues/209#issuecomment-178878377.

[rmarquis]

@Skunnyk I am not sure that adding packer to the [archlinuxfr] repo is the right move in light of this ticket..

[lots0logs]

What if [archlinuxfr] contained a special build of yaourt which on first invocation displayed a reasonably detailed warning about yaourt, the nature of the AUR, etc. and a shorter warning on subsequent invocations?

:+1: That solution is a hundred times more appropriate for addressing the root issue than the solution proposed by the OP of this gh issue. IJS!

Also, no need for a special build of yaourt. This should be included in yaourt no matter where you install it from.

[henryptung]

@mrunion I've generally found it useful when adjusting attitudes to try explaining how one option leads to more positive outcomes than another. How would you "sell" the Arch way to a Linux newcomer as superior to others, and why? (Or, as a more concrete thing, why is learning ABS important over just using archlinuxfr? Is it about avoiding certain classes of bugs or incompatibilities, or is it about "learning Linux the proper/hard way?" Why should that important to a newcomer?) If you just write that up into a wiki page or post somewhere, and link others to it when they ask, I think that'll be a lot easier on both you and everyone else.

As a case-in-point, I'll be honest here - my first reaction reading your posts wasn't "This sounds like something I should learn about" - it was "Wow, I'm glad I'm not that angry." In my experience, help given without respect tends to have the opposite effect, and is often more effective if omitted altogether.

@ everyone else: sorry for the noise

[Mikaela]

I think Arch isn't exactly the distribution to sell to Linux newcomer.

Whereas many GNU/Linux distributions attempt to be more user-friendly, Arch Linux has always been, and shall always remain user-centric. The distribution is intended to fill the needs of those contributing to it, rather than trying to appeal to as many users as possible. It is suited to anyone with a do-it-yourself attitude that's willing to spend some time reading the documentation and solving their own problems.

• https://wiki.archlinux.org/index.php/Arch_Linux#User_centrality

[alphaniner]

Not only that, but the Arch devs and community (by and large) have zero interest in Arch being 'sold' to anyone, becoming more mainstream/popular, etc. To a certain extent there's negative interest in such things, if only because they lead to the circumstances that prompted this issue.

[henryptung]

I understand, but you're not arguing here that Arch devs shouldn't do something they don't want to do, you're arguing that someone else shouldn't do what they want to do because it doesn't align with Arch devs' priorities.

I'm not talking about selling Arch Linux, I'm talking about selling the idea of not using Yaourt - negative interest is well and fine, but it's probably of little concern to most Yaourt users. Do you have an argument that is relevant to Yaourt users?

Why should we choose not to use something that works fine, and saves our time (excepting exceptional API breaks like a major pacman version bump, which happen at most once a year)?

[alphaniner]

The idea being pushed here is not don't use yaourt its don't provide a yaourt binary. And though I tend to agree that should happen, since it didn't seem forthcoming I offered a possible compromise solution. The problem is that the fallout of a binary yaourt results in lots of noise on the official channels. This is something the maintainers and active supporters of archlinuxfr should care about, considering archlinuxfr is nothing without archlinux.

[henryptung]

Ah, my apologies - I didn't realize you were the one who suggested the compromise above. In terms of noise on official channels (which I agree is a problem), I would guess that that has less to do with the ability to install yaourt in 2-3 commands (there are plenty of quick and dirty guides about how to install yaourt, with little-to-no AUR education involved in the process) and more to do with the fact that many useful packages live in the AUR, and will either (1) be used or (2) frustrate users enough to choose a different distribution from Arch. I think driving away newbie users from Arch reduces support burden (I shy away slightly from calling it noise, those users certainly don't see it that way) in the short term, but can be harmful to Arch's growth and the growth of the support community in the long term.

However, I think a "you-are-voiding-your-warranty, step-forward-at-your-own-risk" message during install (and perhaps usage) of yaourt is a much more effective vehicle for delivering the message, and for potentially linking users to Wiki pages where they can actually learn more, if they want. With such a warning on each use, "official channels" can screen and turn away users who use yaourt regularly, or point them at the AUR wiki page and ask them to try uninstalling unsupported packages before returning. Thanks again, by the way, for the suggestion, even if it's not a solution you totally agree with; for me, a solution aimed at educating users is infinitely more constructive than one aimed at removing capability.

[soupault]

One more opinion from the Archlinux user with >8yrs experience here This discussion is fun! I really doubt the complexity of downloading two PKGBUILD's, running makepkg and pacman -U twice. This way users are forced to go throught the educational pipeline: get known with AUR, building system, contribution to AUR (whoa! so easy! prepare one file and you are the community member :wink:). I think, nothing really will suffer due to the removal of yaourt from repositories. On the other hand, the conflicts between pacman and package-query are really annoying (although they happen not often than twice a year). I see the only correct way to handle the situiation - to align with pacman maintainer and roll-out new versions of pacman+yaourt from testing simultaneously. In other words, the commitment from core devs is required. P.S. Not using [archlinuxfr] quite for a while.

[henryptung]

@soupault It's odd, but I think the simplicity here also negates the educational benefit; in this case, the user learns about building, but I'm not sure they'd really "learn" about the AUR through those few commands. Learning about contribution there is a bit of a stretch :stuck_out_tongue:; I acknowledge the irony in that as well, but I just feel like the messaging during install/use is a much more effective way to actually solve the problem the Arch community is complaining about right now.

[Earnestly]

This is a non-issue, any user found to be using [archlinuxfr] is automatically ignored. Good job archlinuxfr!

[DoTheEvo]

I made the infographic posted by the OP.

I think OPs argument is very naive if the main idea is that this:

sudo pacman -S git
git clone https://aur.archlinux.org/packer.git
cd packer
makepkg -si

Would infuse the ancient knowledge of arch in to beginners brainball.

The argument about priority over AUR and the lag, well that has some benefits you know. There were some headlines few weeks back about package query 1.7 being broken, I think repo users were unafected, huh..

[rmarquis]

The problem is that the fallout of a binary yaourt results in lots of noise on the official channels. This is something the maintainers and active supporters of archlinuxfr should care about, considering archlinuxfr is nothing without archlinux.

It seems this is one of the rare comment that understands the issue here. This has never been about yaourt. This is about the yaourt binary provided in the [archlinuxfr] repo.

@Skunnyk I wish you could actually take a decision here, instead of continuing to bury your head in the sand. Either fix it and remove that binary, or refuse to limit the fallout in the official channels and take full responsibility for it.

[ioquatix]

Just for another perspective, I'm experimenting with yaourt to install custom packages to server deployments, and it's convenient to just pull down a package which auto-updates, etc. I often wondered why this wasn't just a flag on pacman (to access the AUR, or adding it to pacman.conf) - sure, it's risky, you could be installing anything, but that's the responsibility of the user and that's pretty clear.

I always thought that if the problem is documentation, perhaps that needs to be addressed differently. For example, if lots of people having the same issue, perhaps a tool which hyperlinks errors to an arch-specific stack overflow might not be a bad idea, e.g.

"It looks like you are trying to compile "nvidia-beta" but the build command failed, would you like to check for information online?"

There are a number of approaches you could use - in the Atom text editor, for example, they unique backtraces and then provide a way to automatically submit a new issue if one doesn't exist yet, or join in the discussion for an existing issue.

This means that if someone is installing a package, and it fails, and other people are having the same issue, they are quickly directed to a solution or at the very least, a discussion surrounding that problem.

This approach could certainly be improved. But it's a start.

If the problem here is building and installing software, I don't feel the solution is to make that harder, but to address the core of the issue - connecting people with issues to solutions. This probably applies equally to packages installed with pacman, or any build tool in general even.

[Earnestly]

@ioquatix If you're looking for saner or more robust solutions to your problems, consider https://github.com/AladW/aurutils instead.

You won't find anything good here, yaourt fails in every category beyond trivial workloads from parsing to dependency ordering to split-package support to even merely searching the AUR without potential for arbitrary code execution.

[sector-f]

@ioquatix You seem to be missing the point of...well, multiple things.

First is the fact that making AUR helpers official--or adding AUR support to pacman--would imply that the AUR is officially supported. This is not the case. You say

sure, it's risky, you could be installing anything, but that's the responsibility of the user and that's pretty clear.

That's a horrible viewpoint. Packages in the official repositories are known to be safe, and this is verified by either the developers ([core], [extra]) or trusted users ([community]). Yet apparently being able to install potentially-malicious packages with ease is a feature, not a bug, in your world.

Another point you may be missing is that pacman is a package manager. The AUR does not contain packages, it contains scripts that makepkg(8) uses to create packages. Compiling programs is not pacman's job. If you think it should be, then consider switching to Gentoo.

[soupault]

@sector-f It seems like noone really cares about malicious software in AUR. Just give yourself a UI look: one can easily create an entry there, but has no chance to remove it (happened to me recently: I've made a repo for some package, faced some troubles with build configuration, intentionally corrupted PKGBUILD and asked for removal in a mailing list - the removal had been rejected); voting is :+1: only, what makes no sense really; no stimula for maintainers on 'out-of-date' flagging - you mark it as one and noone really gives a sh*t about that. So, if AUR is an user-driven platform, why not make it really social and community-moderated? That's the question and it has nothing to do with yaourt.

[ioquatix]

It looks like yaourt is no longer the recommended (was it ever?) way to install packages from AUR. This is news to me. I was recommended to use yaourt several years ago and have been using it ever since. I'm more than willing to change to another tool if it is recommended though.

I'd kindly suggest that users who desire an easy way to install (including dependencies) packages from the AUR, need to know the best tools for the job and that this should be a standardised feature of Arch Linux, if at all possible.

Having this standardised somehow, including relevant documentation and appropriate warnings, might make the process a lot easier for new users to navigate and manage, ensure that the tooling is up to date, minimise the problems people are causing in IRC, etc.

I think this approach is similar to how one develops policies in government to deal with illicit substances: Do we accept the fact that people will desire to do them, and make a safe environment with appropriate documentation and quality where possible, and then warnings where not, or do we try to outlaw it and pretend like it doesn't exist?

[sector-f]

I'd kindly suggest that users who desire an easy way to install (including dependencies) packages from the AUR, need to know the best tools for the job and that this should be a standardised feature of Arch Linux, if at all possible.

There is. It's called makepkg.

[ioquatix]

@sector-f makepkg is great but by the existence of yaourt and other similar tools, we could conclude that it isn't sufficient. i.e. what is the secret sauce that yaourt & co bring to the table?

[f2404]

yaourt not only allows to install AUR packages (without any manual downloading, in opposite to makepkg), but also searching through AUR. What's maybe even more important, when using yaourt, you're using a single tool for handling both AUR and official repositories packages. And yes, I agree with @ioquatix that existence of yaourt itself proves its value for users.

[sector-f]

@ioquatix The secret sauce is "laziness." Users are trading security for ease and allowing the line between official and unofficial packages to blur in their mind. But just because they do it doesn't make it a good idea.

[ioquatix]

@sector-f In this case (i.e. yaourt and co), the repetitive task is automated. This reduces errors, saves time and the end result is more practical/reusable. Not all useful packages are available in official repositories (wireless drivers, atom, ruby gems, nvidia beta drivers, etc).

And let's face it, on the point of security, just because it's an official package doesn't guarantee anything, e.g. OpenSSL. It's a weak guarantee at best. I've never personally verified the keys nor do I know the people making the packages.

I agree, the package signing is a good way to detect malicious behaviour. Perhaps this approach can be extended to the AUR too.

[Earnestly]

@ioquatix There might be some confusion about the purpose of PGP keys here. The point of signing packages is to guarantee that they came from the person who signed it, this says nothing of its security or intent just that the point of origin is consistent.

Right now Arch Linux doesn't sign the databases which does somewhat undermine the situation with malicious mirrors (MITM), but it'll get there eventually.

I recommend that you still read into the links I provide because they answer a few of the questions you've repeated here, for example, look into integrating https://github.com/vodik/repose as a much nicer alternative to using pacman -U.

[ioquatix]

@Earnestly I understand the situation w.r.t. signing. It's just that further back it was mentioned:

Yet apparently being able to install potentially-malicious packages with ease is a feature, not a bug, in your world.

I just wanted to clarify that signed packages don't really avoid this situation, so we are in agreement.

W.R.T. the other methods of deployment, I'm more than happy to improve the method. It's just not clear to me why I should use one or the other. In the case of something, say, like Ubuntu's PPA system, there is a clarity w.r.t. what tools are recommended and how they should be used, the related documentation, risks, etc are well exposed and systematic. Of course, it didn't always used to be that simple.

[Paradox-AT]

The package is no longer available in the repo so you can mark the issue as solved

[f2404]

True, thanks.

[Enerccio]

Why did you remove it? There was no need to do this shit!