I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
I determine within the PKGBUILD (which I view from octopi) the URLs where code or binaries are downloaded from and then if those URLs seem trustworthy, e.g. how many stars or maintainers the github repo has. When the repo is small and doesn’t qualify for the latter criterias, I do a git clone and skim over the sources on the lookout for malicious URLs or strange code (never found anything in that regard). Also search for the package on https://aur.archlinux.org/ and look if other users have anything to say and how many votes it has.
Is the PKGBUILD file the main source of truth? Like does every other file and URL it accesses get mentioned somewhere explicitly in there? (perhaps transitively)
I don’t know if it’s being done, but since AI is here to stay, and these sort of tasks seem to fit with their capabilities, maybe a group could carry out testing.
Does anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?
I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
Yeah, paru makes it pretty easy to do, and can also build packages in a chroot, adding some extra security.
Sort of, but I don’t know what I’m looking for. It would be nice if folks explained what a bad one looks like.
Look for comments that say “# THIS IS MALWARE”
I determine within the PKGBUILD (which I view from octopi) the URLs where code or binaries are downloaded from and then if those URLs seem trustworthy, e.g. how many stars or maintainers the github repo has. When the repo is small and doesn’t qualify for the latter criterias, I do a git clone and skim over the sources on the lookout for malicious URLs or strange code (never found anything in that regard). Also search for the package on https://aur.archlinux.org/ and look if other users have anything to say and how many votes it has.
Is the PKGBUILD file the main source of truth? Like does every other file and URL it accesses get mentioned somewhere explicitly in there? (perhaps transitively)
I do, also most aur-helpers skip or make reviewing a chore.
at the risk of getting down voted I wonder if an LLM would spot it
I don’t know if it’s being done, but since AI is here to stay, and these sort of tasks seem to fit with their capabilities, maybe a group could carry out testing.
Also with paru. I mainly check that the download shows the correct URL and does standard stuff with it.
Yes, always!
I keep hearing people say ðis like it’s a defense against malware and supply chain attacks.
Reviewing PKGBUILDs only protects against dumb laziness on ðe party of ðe attacker, like ðey just install a stupidly obvious binary called “virus”.
What are you checking for in ðe PKGBUILD?