On Wed, Feb 27, 2019 at 2:10 AM alad via aur-general <aur-general@archlinux.org> wrote:
I haven't read all the documentation for this project, but noticed some oddities. Your build service appears to build AUR packages in full automation using "yay -Syu --noconfirm". [4] While I'm sure you took the necesseary precautions to protect your _servers_ from arbitrary code execution, users are still at risk.
For example, even when the build happens on your server, the .install file contains arbitrary code, which is run by pacman as root, on installation of the built package on the user's host. And it's unlikely a user will extract a .pkg.tar.xz, just to verify that the .install file does nothing strange.
Sorry for jumping in here but that feels like a discussion about the merits of idempotent and declarative package management more than a discussion about TU practices. The security and technical concerns for CI/build services are different to end-user desktops…
Not to mention how your service hit the AUR rate limit, due to the choice of the one (from 18!) AUR helpers inefficient enough to cause this. [5] I guess this is "fixed" now, but it leaves a bad taste nonetheless.
I'm curious why a user/developer reaching out about an issue leaves a bad taste. J. Leclanche