[arch-general] makepkg security
iphitus at iphitus.org
Thu Jul 9 22:11:19 EDT 2009
On Fri, Jul 10, 2009 at 11:39 AM, Alessandro Doro<ordo.ad at gmail.com> wrote:
> ¹ Really theoretical, assuming that the user:
> · read the PKGBUILD,
> · trust the package source.
Yeah... I think I'd be somewhat suspicious if I saw a PKGBUILD calling sudo.
sudo -k wouldn't be very effective either. What if I run sudo
elsewhere on my system during the build process, the hole is open
As long as you're running an untrusted script on your system, there's
infinitely many other possibilities. An rm -rf ~/* is pretty damaging
and doesn't need sudo.
Allesandro is spot on.
More information about the arch-general