New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yay does not offer .install files for editing #493

Closed
jinks opened this Issue Jun 15, 2018 · 13 comments

Comments

Projects
None yet
5 participants
@jinks

jinks commented Jun 15, 2018

Affected Version

yay v6.786

Issue

When installing an AUR package that contains a .install file (or any equivalent install= PKGBUILD option) yay does not offer these files up for editing.

Since .install files are run as root they have the potential to be way more malicious than the PKGBUILDs themselves.

Steps to reproduce

  1. yay -S nerd-fonts-complete
  2. select the PKGBUILD for editing

Expected outcome

Both the PKGBUILD and nerd-fonts-complete.install are opened up for editing.
(Bonus: The presence of an install file is prominently listed in the package list so that these packages can be subjected to extra scrutiny)

Actual outcome

Only the PKGBULD is opened for editing.

@Morganamilo

This comment has been minimized.

Show comment
Hide comment
@Morganamilo

Morganamilo Jun 28, 2018

Collaborator

Annoyingly the current srcinfo parser doesn't fully support install files. If a package contains two it will discard the first one and I'd rather not have a half working solution.

It's planned to move to another srcinfo parser at some point, in fact the .install thing is partly why I want to switch.

Sadly the one I wish to use has some very subtle edge cases with split packages and I'd rather get it perfect first.

Expect this feature soon-ish.

Collaborator

Morganamilo commented Jun 28, 2018

Annoyingly the current srcinfo parser doesn't fully support install files. If a package contains two it will discard the first one and I'd rather not have a half working solution.

It's planned to move to another srcinfo parser at some point, in fact the .install thing is partly why I want to switch.

Sadly the one I wish to use has some very subtle edge cases with split packages and I'd rather get it perfect first.

Expect this feature soon-ish.

@AladW

This comment has been minimized.

Show comment
Hide comment
@AladW

AladW Jul 4, 2018

Contributor

Since .install files are run as root they have the potential to be way more malicious than the PKGBUILDs themselves.

I've always wondered why the Secure column in the wiki only specifically handled PKGBUILDs, while the (newer) Diff view column does not... Note that .install files alone doesn't cut it, e.g. the PKGBUILD could run some custom bundled script. I guess this hits the limits of the pseudo-file-manager-via-editor interface most helpers go with.

Contributor

AladW commented Jul 4, 2018

Since .install files are run as root they have the potential to be way more malicious than the PKGBUILDs themselves.

I've always wondered why the Secure column in the wiki only specifically handled PKGBUILDs, while the (newer) Diff view column does not... Note that .install files alone doesn't cut it, e.g. the PKGBUILD could run some custom bundled script. I guess this hits the limits of the pseudo-file-manager-via-editor interface most helpers go with.

@Morganamilo

This comment has been minimized.

Show comment
Hide comment
@Morganamilo

Morganamilo Jul 4, 2018

Collaborator

My view is if you read the pkgbuild, it clearly states the install files and you can easily then open them yourselves in vim. Would you consider an AUR helper secure if it just stopped and went Please read the pkgbuilds. Press Y when you have read them?

Anyway this should be doable as soon as #528 is merged.

Plus our diff system does handle the entire tree courtesy of git. So we should be fine on security no matter what seems as its the default option.

Collaborator

Morganamilo commented Jul 4, 2018

My view is if you read the pkgbuild, it clearly states the install files and you can easily then open them yourselves in vim. Would you consider an AUR helper secure if it just stopped and went Please read the pkgbuilds. Press Y when you have read them?

Anyway this should be doable as soon as #528 is merged.

Plus our diff system does handle the entire tree courtesy of git. So we should be fine on security no matter what seems as its the default option.

@AladW

This comment has been minimized.

Show comment
Hide comment
@AladW

AladW Jul 4, 2018

Contributor

My view is if you read the pkgbuild, it clearly states the install files and you can easily then open them yourselves in vim.

I guess you mean if you see install=foo.install, you manually do :e foo.install in vim, similarly for patch files et al. If you do, that doesn't sound very pleasant to deal with.

Would you consider an AUR helper secure if it just stopped and went Please read the pkgbuilds. Press Y when you have read them?

That's what pretty much all the helpers do with "Optional" in the Secure column do, apart there's no explicit prompt - they just leave you with the retrieved files.

Contributor

AladW commented Jul 4, 2018

My view is if you read the pkgbuild, it clearly states the install files and you can easily then open them yourselves in vim.

I guess you mean if you see install=foo.install, you manually do :e foo.install in vim, similarly for patch files et al. If you do, that doesn't sound very pleasant to deal with.

Would you consider an AUR helper secure if it just stopped and went Please read the pkgbuilds. Press Y when you have read them?

That's what pretty much all the helpers do with "Optional" in the Secure column do, apart there's no explicit prompt - they just leave you with the retrieved files.

@Morganamilo

This comment has been minimized.

Show comment
Hide comment
@Morganamilo

Morganamilo Jul 4, 2018

Collaborator

that doesn't sound very pleasant to deal with.

Oh it's not but being pleasant is not a requirement.

NB

Maybe I'm dumb, what does NB mean?

Collaborator

Morganamilo commented Jul 4, 2018

that doesn't sound very pleasant to deal with.

Oh it's not but being pleasant is not a requirement.

NB

Maybe I'm dumb, what does NB mean?

@AladW

This comment has been minimized.

Show comment
Hide comment
@AladW

AladW Jul 4, 2018

Contributor

Oh it's not but being pleasant is not a requirement.

Ehh... okay? The other thing is that you have to come up with the idea in the first place, which advanced/creative users might, but the rest - which end up being the main audience of these helpers - less so.

On NB: https://en.wikipedia.org/wiki/Nota_bene

Contributor

AladW commented Jul 4, 2018

Oh it's not but being pleasant is not a requirement.

Ehh... okay? The other thing is that you have to come up with the idea in the first place, which advanced/creative users might, but the rest - which end up being the main audience of these helpers - less so.

On NB: https://en.wikipedia.org/wiki/Nota_bene

@Morganamilo

This comment has been minimized.

Show comment
Hide comment
@Morganamilo

Morganamilo Jul 4, 2018

Collaborator

Don't get me wrong. I'm still going to add the .install editing as soon as #528 is merged. I agree its better to have this. I was just talking about the minimum required criteria basically.

You're right about the types of people that are often attracted to these helpers. I do try to make sure people aren't doing insane thing like -Sy pkgname and --noconfirm everything. But ultimately it is the user's responsibility to know what they are doing.

Collaborator

Morganamilo commented Jul 4, 2018

Don't get me wrong. I'm still going to add the .install editing as soon as #528 is merged. I agree its better to have this. I was just talking about the minimum required criteria basically.

You're right about the types of people that are often attracted to these helpers. I do try to make sure people aren't doing insane thing like -Sy pkgname and --noconfirm everything. But ultimately it is the user's responsibility to know what they are doing.

@AladW

This comment has been minimized.

Show comment
Hide comment
@AladW

AladW Jul 4, 2018

Contributor

Hm - also regarding your comment on the wiki page - maybe you could 1. edit/view PKGBUILDs and .install files 2. present what other files are in repo to the user. (git ls-files? could be optional.)

Not too relevant to the wider discussion on criteria, but it seems worth considering in the yay context.

Contributor

AladW commented Jul 4, 2018

Hm - also regarding your comment on the wiki page - maybe you could 1. edit/view PKGBUILDs and .install files 2. present what other files are in repo to the user. (git ls-files? could be optional.)

Not too relevant to the wider discussion on criteria, but it seems worth considering in the yay context.

@jinks

This comment has been minimized.

Show comment
Hide comment
@jinks

jinks Jul 5, 2018

Note that .install files alone doesn't cut it, e.g. the PKGBUILD could run some custom bundled script.

True, but .install files run as root, while the PKGBUILD is built/run by an unprivileged user. Although on the typical personal system that's still a case of https://xkcd.com/1200/.

jinks commented Jul 5, 2018

Note that .install files alone doesn't cut it, e.g. the PKGBUILD could run some custom bundled script.

True, but .install files run as root, while the PKGBUILD is built/run by an unprivileged user. Although on the typical personal system that's still a case of https://xkcd.com/1200/.

@Bryophyllum

This comment has been minimized.

Show comment
Hide comment
@Bryophyllum

Bryophyllum Sep 22, 2018

As I don't think it requires opening a new issue, here's one I have: I'm not shown .install files to, when using Vim. For my surprise, it works as expected with nano and probably the others too.

Bryophyllum commented Sep 22, 2018

As I don't think it requires opening a new issue, here's one I have: I'm not shown .install files to, when using Vim. For my surprise, it works as expected with nano and probably the others too.

@Morganamilo

This comment has been minimized.

Show comment
Hide comment
@Morganamilo

Morganamilo Sep 22, 2018

Collaborator

Have you tried :n?

Collaborator

Morganamilo commented Sep 22, 2018

Have you tried :n?

@Bryophyllum

This comment has been minimized.

Show comment
Hide comment
@Bryophyllum

Bryophyllum Sep 22, 2018

@Morganamilo Not really.. sighs I should've taken more Vim lessons, or any at all. Anyhow, thank you for your patience for my folly here. c:

Bryophyllum commented Sep 22, 2018

@Morganamilo Not really.. sighs I should've taken more Vim lessons, or any at all. Anyhow, thank you for your patience for my folly here. c:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment