[arch-general] Integrating Virus Scanning for Packages Handled by Pacman (Mark Lee)

Mark E. Lee mark at markelee.com
Wed Apr 24 13:47:31 EDT 2013

On Wed, 2013-04-24 at 12:57 -0400, arch-general-request at archlinux.org
> On Tuesday, April 23, 2013 06:56:56 PM Daniel Micay wrote:
> > On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee <mark at markelee.com>
> wrote:
> > > While building packages on the AUR, I was wondering that except
> for
> > > manual user intervention (by reading the code), I didn't have any
> other
> > > methods of knowing if a package had malware or viruses. Hence, I
> was
> > > wondering if virus scanning via clamav should be called before
> pacman
> > > installs packages.
> > > 
> > > --
> > > Mark E. Lee <mark at markelee.com>
> > 
> > The PKGBUILD itself is a bash script. If you're running them without
> > reading the code and checking that the sources are from an upstream
> > you trust, you're gonna have a bad time.
> > 
> > There are plenty of packages in the AUR that touch outside of
> $pkgdir
> > - but most seem to be beginner mistakes in good faith. ClamAV pretty
> > much just detects very common win32 viruses, because it's used on
> mail
> > servers to *reduce* the number of spread viruses.
> > 
> > If you really feel like scanning the package contents after you've
> > already trusted the PKGBUILD and build scripts, just don't use
> makepkg
> > -i.
> I'd have to agree here, I don't feel much as if it is the duty of the
> package 
> manager to check for viruses. Furthermore, reinforcing what Daniel
> said, 
> ClamAV's primary function is to mitigate the spreading of Windows
> malware. 
> While it would be nice to have some system to screen PKGBUILDs for
> malicious 
> activity, it is just out of scope. [core], [extra], [multilib], and 
> [community] are for the most part screened upon submission (You can't
> just 
> throw a package right upstream and into [community] without having
> someone 
> view it first, thus having an opportunity to spot bad scripts) and the
> AUR is 
> fairly trustworthy in and of itself. It really is just a matter of
> trust.

As seen by some malignant Android apps, trust in the
developer/maintainer does not always work towards the goals of the end
users. Packages downloaded from the main repos or built from the AUR
should be scanned for both windows and linux malware to ensure Arch
Linux pc's don't become carriers for malware. Pacman would benefit from
an additional line of package scanning (not just verifying); it's sort
of like a second opinion from another doctor.

Mark E. Lee <mark at markelee.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20130424/01f674da/attachment.asc>

More information about the arch-general mailing list