I know there are many other backup programs available like borg + vorta, but getting it set up is proving a huge faff with my NAS whereas Duplicati has always worked straightforwardly because it does not require anything special to be set up on the remote server. I still want to figure out borg because it seems a bit more efficient/fast but it would be nice to have some sort of automatic backup going until then.
It costs basically nothing to have them in the repos because they are already compiled.
And indeed many of the AUR packages Cachy has adopted are bin packages.
On the other hand if they are in the AUR as a bin and do not require any building then it does not really confer much benefit, if any at all, for them to be additionally in the repos. Sometimes it even means that users have to wait on a Cachy repo push when the AUR variant has already been upgraded.
I’ve never looked much into it over the years, but I always assumed these packages weren’t in official repos due to licensing for one reason or another. I know AUR pkgs can be be submitted for approval to be added into the community repos, but previous point stands.
Off the top of my head, I can’t see why this can’t be submitted for that by the pkg maintainer.
I was mainly speaking in reference to Cachy above - which seems to routinely add bin packages or even prefer them for the reasons already mentioned.
As to the normal AUR->Arch scenario .. those have a lot of different considerations. But one is definitely licensing. Something like google-chrome or ms11fonts or spotify simply cannot be redistributed. At least not by any group that fears litigation. While user scripts in the AUR are not Arch doing distribution.
But other things matter too like the state of the software, how useful or popular it is, etc etc.
And another thing thats lesser known .. the votes. Those vote numbers are meant to be exactly one thing and thats “I vote this be added to the repos”.
Ah, I forgot to check AUR, thanks. I know a lot of “missing” programs end up on AUR, and it’s probably better than having random loose packages floating around your system, but it’s just more convenient to have everything in the cachy repos. That’s the first place anybody is going to check and adds a bit of trustworthiness I think personally.
Being in the AUR does not really change whether they are floating around on your system.
Pacman does not care how you got an orphan or why something is or is not a dependency.
As to their trajectory..
Sometimes old software gets demoted to the AUR.
And sometimes its a first stop before something eventually gets promoted to the repos.
But usually its just somewhere something small or niche or proprietary is made available by some random user who thought it might be useful.
In the case of a binary package.
Especially if it is not somehow analyzed or vetted.
Then this would actually be a false sense of trustworthiness.
It would arguably be more secure for them to be somewhere less trusted.
“Heres a compiled binary for that app you want that someone posted to gdrive. We have no idea whats in it.”
Should that package be served to users as if it is an official package?
Or is it better that it is left to the more obvious “this is third party, use at your own risk” category?
I can understand your argument. It is better not to have a false sense of security. But maybe what this argument leads to is that the official repo should have a minimum vetting process. I know that goes against the Arch ethos of “do whatever you want it’s up to you” but the reality is that even subconsciously when you put the brand name next to something it’s going to be assumed to have some responsibility. If it is my friend who is sending me the program from a gdrive folder maybe I would ask questions (Esp if it looked like malware)but it is not as sketchy as from a random stranger.
My current habit is to try Octopi for a package, then if it isn’t there go search the software’s official site/Github, AUR is very much third choice (which is why I forgot about it).
I only mean that pacman keeps track of what packages and dependencies are installed and updates them (or can prune the unnecessary ones) vs something like an AppImage or shell script downloaded from Github that it would be easy to forget I even have saved somewhere. I have cachy-updater which checks flatpaks as well which is much better than relying on my memory.
Yes. This is also one of the reasons why even when we do have to get something manually, and even if we dont plan on sharing it with someone else, it is usually preferable to create a PKGBUILD.