On Tuesday, April 23, 2013 06:56:56 PM Daniel Micay wrote:
On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee firstname.lastname@example.org wrote:
While building packages on the AUR, I was wondering that except for manual user intervention (by reading the code), I didn't have any other methods of knowing if a package had malware or viruses. Hence, I was wondering if virus scanning via clamav should be called before pacman installs packages.
-- Mark E. Lee email@example.com
The PKGBUILD itself is a bash script. If you're running them without reading the code and checking that the sources are from an upstream you trust, you're gonna have a bad time.
There are plenty of packages in the AUR that touch outside of $pkgdir
- but most seem to be beginner mistakes in good faith. ClamAV pretty
much just detects very common win32 viruses, because it's used on mail servers to *reduce* the number of spread viruses.
If you really feel like scanning the package contents after you've already trusted the PKGBUILD and build scripts, just don't use makepkg -i.
I'd have to agree here, I don't feel much as if it is the duty of the package manager to check for viruses. Furthermore, reinforcing what Daniel said, ClamAV's primary function is to mitigate the spreading of Windows malware. While it would be nice to have some system to screen PKGBUILDs for malicious activity, it is just out of scope. [core], [extra], [multilib], and [community] are for the most part screened upon submission (You can't just throw a package right upstream and into [community] without having someone view it first, thus having an opportunity to spot bad scripts) and the AUR is fairly trustworthy in and of itself. It really is just a matter of trust.