Hi all, Yesterday I wrote a similiar thread on forum: https://bbs.archlinux.org/viewtopic.php?pid=2301093#p2301093 Cheers, Hexxal (aka silensys) Sent with Proton Mail secure email. On Saturday, June 13th, 2026 at 20:13, Claudia Pellegrino <auerhuhn_at_archlinux.org_sketch-hamlet-nape@duck.com> wrote:

Hi David,

...

In the AUR case, any source scanning would have to be added as part of the makepkg process, and compute required would just be part of the build process if something like that is even doable. Fyi, there’s some experimental work in progress (private, not endorsed by Arch developers) to add pluggable, user-controlled upstream source auditing to makepkg. [1] [2]

Regards Claudia

[1]: https://gitlab.archlinux.org/auerhuhn/libmakepkg-srcaudit/-/blob/main/README...

[2]: https://gitlab.archlinux.org/auerhuhn/libmakepkg-hexora/-/blob/main/README.m...