17 May
2014
17 May
'14
10:17 p.m.
On Sat, May 17, 2014 at 5:40 AM, Roland Tapken <ml@lalamuhkuh.de> wrote:
My first guess was that the PKGBUILD usually comes from an untrusted source and may contain code to attack my system (copy personal data or install a rootkit or something like that).
I think that the point isn't that you're not supposed to run makepkg as root to protect against *malicious* packages, but rather to protect aganst *badly written* ones. There are of course many ways that a malicious package could get around that to hose your system, but a simple badly written package that spews files directly into /usr instead of into $pkgdir is easily thwarted by not having the permissions necessary to do so. Regards, ~Celti