On Tue, Apr 23, 2013 at 2:10 PM, Mark E. Lee <mark@markelee.com> wrote:
While building packages on the AUR, I was wondering that except for manual user intervention (by reading the code), I didn't have any other methods of knowing if a package had malware or viruses. Hence, I was wondering if virus scanning via clamav should be called before pacman installs packages.
I would say that the best way to assure you're using the correct file, as intended by the original developers, is to use digital signatures to check the sources. Not all projects sign their releases, but for those who do, you can use makepkg's support for GPG signature checking. According to PKGBUILD's man page, you can have a source line ending with .sig, .sign or .asc and makepkg will download it and check the signature. The user building the package must have the project's key in his GPG keyring and it must be trusted. Hope that helps. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? For more information, please read: http://idallen.com/topposting.html ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------