[arch-general] Integrating Virus Scanning for Packages Handled by Pacman
While building packages on the AUR, I was wondering that except for manual user intervention (by reading the code), I didn't have any other methods of knowing if a package had malware or viruses. Hence, I was wondering if virus scanning via clamav should be called before pacman installs packages. -- Mark E. Lee <mark@markelee.com>
On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee <mark@markelee.com> wrote:
While building packages on the AUR, I was wondering that except for manual user intervention (by reading the code), I didn't have any other methods of knowing if a package had malware or viruses. Hence, I was wondering if virus scanning via clamav should be called before pacman installs packages.
-- Mark E. Lee <mark@markelee.com>
The PKGBUILD itself is a bash script. If you're running them without reading the code and checking that the sources are from an upstream you trust, you're gonna have a bad time. There are plenty of packages in the AUR that touch outside of $pkgdir - but most seem to be beginner mistakes in good faith. ClamAV pretty much just detects very common win32 viruses, because it's used on mail servers to *reduce* the number of spread viruses. If you really feel like scanning the package contents after you've already trusted the PKGBUILD and build scripts, just don't use makepkg -i.
On Tuesday, April 23, 2013 06:56:56 PM Daniel Micay wrote:
On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee <mark@markelee.com> wrote:
While building packages on the AUR, I was wondering that except for manual user intervention (by reading the code), I didn't have any other methods of knowing if a package had malware or viruses. Hence, I was wondering if virus scanning via clamav should be called before pacman installs packages.
-- Mark E. Lee <mark@markelee.com>
The PKGBUILD itself is a bash script. If you're running them without reading the code and checking that the sources are from an upstream you trust, you're gonna have a bad time.
There are plenty of packages in the AUR that touch outside of $pkgdir - but most seem to be beginner mistakes in good faith. ClamAV pretty much just detects very common win32 viruses, because it's used on mail servers to *reduce* the number of spread viruses.
If you really feel like scanning the package contents after you've already trusted the PKGBUILD and build scripts, just don't use makepkg -i.
I'd have to agree here, I don't feel much as if it is the duty of the package manager to check for viruses. Furthermore, reinforcing what Daniel said, ClamAV's primary function is to mitigate the spreading of Windows malware. While it would be nice to have some system to screen PKGBUILDs for malicious activity, it is just out of scope. [core], [extra], [multilib], and [community] are for the most part screened upon submission (You can't just throw a package right upstream and into [community] without having someone view it first, thus having an opportunity to spot bad scripts) and the AUR is fairly trustworthy in and of itself. It really is just a matter of trust. -- Regards, Tanner
On Tue, Apr 23, 2013 at 2:10 PM, Mark E. Lee <mark@markelee.com> wrote:
While building packages on the AUR, I was wondering that except for manual user intervention (by reading the code), I didn't have any other methods of knowing if a package had malware or viruses. Hence, I was wondering if virus scanning via clamav should be called before pacman installs packages.
I would say that the best way to assure you're using the correct file, as intended by the original developers, is to use digital signatures to check the sources. Not all projects sign their releases, but for those who do, you can use makepkg's support for GPG signature checking. According to PKGBUILD's man page, you can have a source line ending with .sig, .sign or .asc and makepkg will download it and check the signature. The user building the package must have the project's key in his GPG keyring and it must be trusted. Hope that helps. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? For more information, please read: http://idallen.com/topposting.html ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------
Denis A. Altoé Falqueto <denisfalqueto@gmail.com> on Wed, 2013/04/24 17:18:
I would say that the best way to assure you're using the correct file, as intended by the original developers, is to use digital signatures to check the sources. Not all projects sign their releases, but for those who do, you can use makepkg's support for GPG signature checking.
I do know some projects which sign their packages buy Arch PKGBUILDs do not use them. Package 'postfix' is an example. Do the developers want bug reports about that? -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
participants (5)
-
Christian Hesse
-
Daniel Micay
-
Denis A. Altoé Falqueto
-
Mark E. Lee
-
Tanner Danzey