Arch Linux

7175 readers

31 users here now

The beloved lightweight distro

founded 4 years ago

MODERATORS

[email protected]

About yay helper (sopuli.xyz)

submitted 1 year ago by [email protected] to c/[email protected]

10 comments fedilink hide all child comments

When using sudo yay it recommends not using sudo. It seems I had two different outcomes from using sudo and then from not using it. Having used it, what effect does this have?

top 5 comments

sorted by: hot top controversial new old

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (2 children)

What different effect did you see?

The main difference is in where the package gets built, as you are the root user not your own user, the cache will be in a strange place and some config files may be misplaced.

Also, running as root is dangerous as the aur uses random scripts made by strangers on the internet. (edit: as stated by OP, mkpackape refuses to run anyway) This can be very dangerous, even when not run as root. I've seen an ip logger next to a list of "people who can fuck themselves", fork bombs, and have heard of crypto miners being installed. All in large well used repos.

Cemu, nordvpn, certain browsers, and many more are not distributed by their owners

Giving these scripts that are often made by some random person root access is asking for damage. People could just put dd if=/dev/random of=/dev/sda inside it and boom, your drive is not only gone but you can't even recover your data

Edit: they are correct, yay will simply refuse to install an aur package using sudo, apologies for suggesting otherwise

[–] UnfortunateShort 5 points 1 year ago

Look at the pkgbuilds and the sources used! That's the minimum of due diligence one should do when using the AUR.

[–] [email protected] 2 points 1 year ago

With sudo it appears the dependencies for pkgbuild are downloaded then deleted but qv2ray, the main target remains uninstalled (manual intervention required) and it states qv2ray - exit status 10.

However on the second time without sudo the package is finished and a second install prompt appears, and the installation is successful.

So it appears to be that running makepkg with sudo was not permitted anyway, and there was no result. Also the packages (the cache you refer to?) were deleted following this.

I'll remember from now on the AUR is riskier than pacman and I'm glad the package was installed in /home. 🤔

[–] ogarcia 3 points 1 year ago

Running any AUR helper (I recommend paru instead of yay but either is a good option) should always be done with a normal user and never with sudo.

This is because both the download of PKGBUILD as well as the download of the sources and the compilation must be done with a normal user. Doing that as root poses a HUGE risk to the integrity of the system, a bad PKGBUILD, a source code with errors, a script with a space where it shouldn't be and you can even break your system completely, you could even execute malicious code!

It is the AUR helpers themselves that will (eventually) ask you for a sudo authentication for when they need to do the final step of installing the package once it has been built.

[–] [email protected] 1 points 1 year ago

Yay asks for your password if it needs it. So you can just type in 'yay' and read what says.

Also: I canrecommende usind Peru instead ;)

load more comments