On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee <mark@markelee.com> wrote:
While building packages on the AUR, I was wondering that except for manual user intervention (by reading the code), I didn't have any other methods of knowing if a package had malware or viruses. Hence, I was wondering if virus scanning via clamav should be called before pacman installs packages.
-- Mark E. Lee <mark@markelee.com>
The PKGBUILD itself is a bash script. If you're running them without reading the code and checking that the sources are from an upstream you trust, you're gonna have a bad time. There are plenty of packages in the AUR that touch outside of $pkgdir - but most seem to be beginner mistakes in good faith. ClamAV pretty much just detects very common win32 viruses, because it's used on mail servers to *reduce* the number of spread viruses. If you really feel like scanning the package contents after you've already trusted the PKGBUILD and build scripts, just don't use makepkg -i.