Why is adoption a thing in this way though? People compare AUR to github which seems very apt, but on Github no-one can come and take over the URL of an abandoned repo for rhemselves, if someone wants to start maintaining and the old owner is MIA, they have to make a fork. Why doesn’t AUR work the same way but instead allows anyone to take over any abandoned project with no checks?
The forking option wouldn’t work as well as it does on github because AUR packages are not namespaced like GitHub repos, e.g. communism/mypackage; instead it’s just mypackage. So if adoption required a new name you’d have mypackage-cont, mypackage-cont-cont, or whatever. And it wouldn’t really be possible to introduce username namespacing because AUR packages are just Pacman packages that are community-contributed rather than official, and Pacman, like most package managers, doesn’t namespace their package names; firefox is just firefox rather than, say, mozilla/firefox. Some AUR packages get added to the official repos so when you do, e.g. yay -Syu, you’ll then install the official package if you previously had the AUR package installed as it has the same name.
There isn’t a perfect solution. Even if package adoptions were moderated, someone could take over a package and initially push a genuine commit, and then their next commit is malicious. Reviewing every single AUR commit would be incredibly labour-intensive. Possibly you could add automated checks for commits that suddenly add an npm install or other suspicious command with regex, but attackers could just get cleverer about avoiding those regex checks. Imo the best solution is just more widespread warnings about the fact that AUR packages are community-contributed with no guarantees of safety (e.g. on the Arch wiki where it sometimes suggests users install AUR packages), and AUR helpers forcing users to read PKGBUILDs before installation.
Why is adoption a thing in this way though? People compare AUR to github which seems very apt, but on Github no-one can come and take over the URL of an abandoned repo for rhemselves, if someone wants to start maintaining and the old owner is MIA, they have to make a fork. Why doesn’t AUR work the same way but instead allows anyone to take over any abandoned project with no checks?
It is about updates and duplicate packages are not allowed.
I usually don’t do it, but the user is supposed to check. It’s itself a git repo, so you can see who changed what.
It’s just a build script. There are long and complex ones, but many are short. Easiest ones are just a few lines of shell script + metadata
The forking option wouldn’t work as well as it does on github because AUR packages are not namespaced like GitHub repos, e.g. communism/mypackage; instead it’s just mypackage. So if adoption required a new name you’d have mypackage-cont, mypackage-cont-cont, or whatever. And it wouldn’t really be possible to introduce username namespacing because AUR packages are just Pacman packages that are community-contributed rather than official, and Pacman, like most package managers, doesn’t namespace their package names;
firefoxis justfirefoxrather than, say,mozilla/firefox. Some AUR packages get added to the official repos so when you do, e.g. yay -Syu, you’ll then install the official package if you previously had the AUR package installed as it has the same name.There isn’t a perfect solution. Even if package adoptions were moderated, someone could take over a package and initially push a genuine commit, and then their next commit is malicious. Reviewing every single AUR commit would be incredibly labour-intensive. Possibly you could add automated checks for commits that suddenly add an npm install or other suspicious command with regex, but attackers could just get cleverer about avoiding those regex checks. Imo the best solution is just more widespread warnings about the fact that AUR packages are community-contributed with no guarantees of safety (e.g. on the Arch wiki where it sometimes suggests users install AUR packages), and AUR helpers forcing users to read PKGBUILDs before installation.