[arch-general] Integrating Virus Scanning for Packages Handled by Pacman

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Wed Apr 24 16:18:02 EDT 2013


On Tue, Apr 23, 2013 at 2:10 PM, Mark E. Lee <mark at markelee.com> wrote:
> While building packages on the AUR, I was wondering that except for
> manual user intervention (by reading the code), I didn't have any other
> methods of knowing if a package had malware or viruses. Hence, I was
> wondering if virus scanning via clamav should be called before pacman
> installs packages.

I would say that the best way to assure you're using the correct file,
as intended by the original developers, is to use digital signatures
to check the sources. Not all projects sign their releases, but for
those who do, you can use makepkg's support for GPG signature
checking.

According to PKGBUILD's man page, you can have a source line ending
with .sig, .sign or .asc and makepkg will download it and check the
signature. The user building the package must have the project's key
in his GPG keyring and it must be trusted.

Hope that helps.

--
A: Because it obfuscates the reading.
Q: Why is top posting so bad?
For more information, please read: http://idallen.com/topposting.html

-------------------------------------------
Denis A. Altoe Falqueto
Linux user #524555
-------------------------------------------


More information about the arch-general mailing list