@Anatol Pomazau Thanks for all your work on the Arch Linux package. Do you mind clarifying why

rpmtools

and

dpkg

are necessary for these? When building locally, it seems like

git python3 bison flex make

are the only requirements. (I haven't tried to run it though)

There is not much reason actually. And it done mostly because of historical reason - when I was brining it up at Arch I just enabled all the feature to make sure it compiles fine with Arch' toolchain. I think these deps can be disabled. And we also need pacman/libalpm integration.

@Anatol Pomazau Awesome, thanks for the response. Is there something I can do to help to accomplish this? When I try to do an install from AUR the installed size is over 500MB. I'd love to get that down to something a little more reasonable and have a minimal set of dependencies.

You don't need to install

osquery

from AUR. The package is available in the standard repo https://www.archlinux.org/packages/community/x86_64/osquery/

@Anatol Pomazau Sorry, I just woke up and didn't communicate that very well. Both the AUR and the standard community repo end up having an install size of over 500MB which seems very large for an agent. I wouldn't mind helping out trying to help minimize some of the dependencies if you'd like. Not really sure where to start here though.

To remove these large dependencies you can try to rebuild this package manually https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/osquery without

rpm-tools

dpkg

dependencies.

@Anatol Pomazau Found the culprit.

447.53MiB community/aws-sdk-cpp

Oh yeah, it is a huge beast

Maybe we can move that to a makedepends instead of a depends? 🤔

This library is a runtime dependency. So it is impossible to move to makedeps.

The full SDK is a runtime dependency?

From the bright side this dependency is downloaded only once. You won't download it often.

Interesting. I am trying a rebuild with aws-sdk-cpp as a makedepend to see if it's actually runtime or just a compile time dependency.

If it helps, osquery only uses the

ec2

,

kinesis

,

firehose

and

sts

libraries within

aws-sdk-cpp

.

That's fair, its just hard to imagine people will install a 500MB dependency for a single application, as nothing else in arch repos requires it. Even electron has a smaller footprint... which says a lot.

I think it would be possible to break this Arch package into multiple smaller ones, like

aws-sdk-cpp-ec2

,

aws-sdk-cpp-firehose

, ... Though it makes sense to release only subset of the project components - for beginning only those 4 used by

osquery

and then add more if needed.

Will do. I assume you want the bug filed against aws-sdk-cpp?

yes. and share the ticket with me so I assign it to myself.

Thanks a lot @rokusei

Thank you for all the work you do!

As an intermediate fix I restricted set of components installed by

aws-sdk-cpp

package to only those 4 needed by osquery. The download size of the package is reduced to 3.5 MiB.