Please for the Love of Whatever Deity You May Believe in, Don’t Use yaourt

yaourt is an AUR helper, which is a short way of saying that it is a tool to help with installation and dependency management when installing packages from the Arch User Repository. It is also commonly recommended in guides about starting out on Arch or Manjaro, since it used to be default on Manjaro before 17.0 and is in Manjaro’s repos. Sounds fine, yeah? No.

The problem is that it makes a very important assumption when installing packages: that they’re not out to cause harm.

The way that Arch installs packages is through the use of a PKGBUILD script (read more here). This file outlines the basic details of the package, such as dependencies and steps that need to be taken. As an example, here’s one that I made for converting the DEB for a project I am developing into an Arch package and installing it:

Basic PKGBUILD file
Basic PKGBUILD script

What tools such as yaourt do is take this script, execute it to build the package, and then install that package. Where yaourt screws up, is that it executes part of it before letting you read it.

Taking the Gogios example from above, I can add a line to it like so:

Same file, but now with 'echo "pwned"' added to prove a point
Basic PKGBUILD with an echo added in

And running with yaourt will produce this:

yaourt ran the echo before asking if I wanted to review the file
yaourt output with the echo added

I hope it is obvious why this is a problem. yaourt executed the echo statement as soon as I started the install, and then asked if I wanted to see how much I just screwed myself.

In summary: please, for the love of whatever deity you may believe in, please do not use yaourt. Use something like yay (the recommended AUR helper of ASA) or some other trusted program from the table here.

About: Bailey Kasin

I build virtual environments and challenges for Cybersecurity students to complete as a way to gain experience before graduating and entering the workforce.

Leave a Reply

Your email address will not be published. Required fields are marked *