Last night while updating my system, I noticed that a random aur package my system depends on was orphaned in the aur. It’s some random deep-down dependency of another AUR package, and it’s not received any upstream commits in a while. Nice and stable, just needed an owner. I decided to adopt the package before someone else did.
It was kinda scary how simple it is to adopt an orphaned package. Create AUR account… click an email link… Done. If someone wanted to squat the package for malicious purposes, it would be stupidly simple.
I get that this is a problem for all community repos, not just AUR (npm, anyone?), but it’s still an unsettling prospect. I feel like it goes unacknowledged some times.
First, you should be familiar with the basic process of compiling and installing software from source. For C or C++ projects, this can be as simple as
./configure,make,make installfor projects that use GNU Autotools, or something likecmake -B build,cd build,make,make installfor CMake projects.I generally split PKGBUILDs into three important parts. There’s the metadata at the top then there’s the
buildandpackagefunctions.buildis where everything up to themake(or equivalent build-the-thing) command goes andpackageis where themake installbits go.There’s also the
prepareandcheckfunctions, but those aren’t used as often.As for the actual documentation, the Arch Wiki page for PKGBUILD covers most of the metadata stuff and the page for Creating Packages covers most of the
buildandpackagestuff.