[arch-general] makepkg security

Square toolman33 at gmail.com
Thu Jul 9 14:55:30 EDT 2009

I noticed this in my typical routine when installing AUR packages. 'makepkg -sic' is the typical command I use, and most of the time if dependencies are installed before building sudo doesn't time out before the install - meaning I do not have to re-enter a password for installing the package itself. This leaves a window where any time during the build process a command could have been executed with sudo and it would have went through without my knowledge.

I do realize that it should be up to the user to validate all of the
content, i.e. make sure everything is 'clean', but I thought I might
bring it up for discussion. 

More information about the arch-general mailing list