How reliable are AUR packages in terms of stability?

LeFantome, 10 months ago (edited 10 months ago)

Obviously the correct answer is the useless one that it varies package to package. AUR is a community effort.

In practice, I use a great many AUR packages and they work just fine. I avoid the AUR if there is an alternative in Core or Extra but much of the value of Arch is the AUR.

The number of AUR packages is not really a factor. You can have dozens of AUR packages installed without incident. A single poorly ( or maliciously ) crafted AUR package can cause problems.

Dependencies can be a problem. I used an AUR version of GIMP for a while ( 2.99 ) but it depended on GEGL and, at some point, the version of GEGL was not new enough and it broke. Overall though, issuers have been rare in my experience.

If you do have an issue, fixing it is typically easy. Arch package management is great in my experience.

I would stay away from Pamac ( from Manjaro but in the AUR ) and just use yay. Pamac breaks things. If you want more than that, try Pacseek.

apt_install_coffee, 10 months ago

Interdependency is a large part of issues; If you have an aur package that breaks but has no other packages that depend on it, you have a minor problem. If you have an aur package that breaks which many packages depend on, you have a major problem. Keep your libraries as unchanging as you can; out of AUR if possible, definitely not -git packages.

An AUR pkgbuild can also perform arbitrary actions to install the package, the security implication is obvious but many also miss that, yes as you install more AUR packages your system will diverge from the expected Arch state. Normally this is minor and fine, but it could trip you up here and there.

s_s, 10 months ago (edited 10 months ago)

Depends on what packages you install.

There are lots of AUR packages marked -git which would be the very definition of unstable.

On the other hand, the kernel modules for my wifi dongle’s drivers are only in the AUR and have been rock solid for 5 years.

It’s really a “if you need to ask, don’t use AUR” type thing. In debian-based systems, it’s the same thing with PPAs. The software is there if you need it, just understand that nobody is validating it.

What’s great about the AUR is that the Arch build system is a fantastic bit of tooling and is incredibly easy to use.

Sentau, 10 months ago

The point is that the official arch repositories have most of the software one might need. Using AUR only for software which I can’t find in the official repos has meant that I have very few packages installed from the AUR and none of them have caused stability issues with my system as these packages are actively maintained

Chewy7324, 10 months ago

Adding to other comments with a little example: A friend of mine wondered why xfce always crashed on login. Turns out it was an out of date AUR package that somehow messed the unrelated xfce up. Removing it solved the crashing problem.

This was relatively benign since it was easily fixed, but I definitely recommend keeping only as many AUR packages installed as necessary. And if something is wrong, it might just be one of those pacakges.

zitronen, 10 months ago

Stable, in this context, only means, that there are no major version jumps. So, you won’t update from, say, version 3.4.9 to 4.0 if that comes out, but instead to 3.4.10, which provides stability, but no new features. It depends a lot on your usage profile, if this is important to you. In that sense, the AUR usually isn’t very stable – but that can be seen as a good thing. If it is significant, typically, you can find pinned versions, too, just as you are still able to download python 2 (not supported for years, but it’s there, stable).

tokyo, 10 months ago

Thank you for your input and insight.

Based on this Arch may not be compatible with my usage profile, but sounds like it’s warrant more personal research just in case.

Aatube, 10 months ago

It's quite stable, though I wouldn't trust it for core/system packages.

tokyo, 10 months ago

That is something that I have been taking notes on. Thank you for your input.

EddyBot, 10 months ago

there are AUR listings which are more prone to break by “design”
in particular any custom kernel or out of tree kernel modules (like Nvidia driver)

the arch linux maintainer keep these in sync so a normal user wouldn’t notice any issue (i.e. linux kernel and nvidia driver are rebuilt in tandem) but by using AUR packages you are now in charge of package maintenance

tokyo, 10 months ago

Thank you for your input and insight.

Based on some other comments as well, it seems smart to stay clear of system critical packages

ogmemuk, 10 months ago

Unless its a rare and obscure package (and thus more prone to be outdated and unmaintained), AUR packages are quite stable.

tokyo, 10 months ago

That is great to know, thank you for your input!

YellowmanfromMoon, 10 months ago

The AUR is a great tool. however I personally try to not install to many packages from it since many packages are outdated and you have to trust the maintainer(s) of the package which can be quite dangerous (especially for small projects).

tokyo, 10 months ago

That seems in line with what I am reading for the most part and is definitely a point for risk assessment.

Thank you for your input.

YellowmanfromMoon, 10 months ago

no problem

OsrsNeedsF2P, 10 months ago

The most common issue is you find out the package is out of date, so you might need to update it yourself if you want the latest release. But the alternative is not having the package at all

tokyo, 10 months ago

That does not sound like the worst thing to encounter. Seems like a relatively benign issue for the benefit.

Thank you for your input.

drwho, 10 months ago

Probably about a fifth of the packages I have installed on my daily driver are from the AUR, and most of the time I forget they came from the AUR.

tokyo, 10 months ago

I feel like this is something that I’d encounter. When I prepared my system I found that a lot of software I wanted was primarily available through the AUR since I tend to use open source software.

It is good to know that it hasn’t seemingly presented any major issues

BaalInvoker, 10 months ago

AUR is a user repo, which means that If you install any aur package, you’re trusting the user who is maintaining this package.

But if you install aur enough, you may install packages and libraries in your system that may break stuff.

AUR is not containerized, which means that these packages shares libs and files with your system. If a package installs a lib unsupported by official repo, it will certainly break your system.

I like aur, but I always try to install the least amount of packages from this source as possible.

tokyo, 10 months ago

Thank you for your input and insight.

Knowing that it is not containerized does help me understand the risks.

hitagi, 10 months ago

I use Arch almost because of the AUR. Depending on the package maintainer, you could run into some issues and you’ll have to check the AUR threads to see how to fix it. For example, a package can fail to compile and update, and the fix suggests to clear the cache. For the most part, I never really had a “broken” system because of an AUR update. YMMV

tokyo, 10 months ago

Thank you for your input and insight.

I stepped away from arch at the risk of having my system break, but this restores my confident in the stability of it