This continues a thread on arch-general: Thomas Bächler schrieb:
I agree. The question is not about makepkg security, but about sudo security. And frankly, sudo is a security desaster in its default configuration.
Any suggestions for changing / shipping a better default config file? I know little about the security implications of this, but I think we should ship a decent default if possible.
Our policy is usually to ship whatever upstream ships. IMO, a good default would be to set sudo to require the root password (not the user password) and not cache any passwords at all.
Also, I think instead of using sudo in makepkg, we should use su by default (with an option to enable sudo). su always has a good default configuration requiring the root password (it's also possible to set it to allow password-less su in the pam configuration, but everyone who does that is crazy anyway).
The original complaint was that when using makepkg -sic, the sudo password is cached after dependency installation and malicious sudo commands might be executed during build() as the password is cached. My opinion on this is that we should not encourage people to use sudo, Aaron suggested to move it here for further discussion. What do you think?