[arch-projects] mBira project

Dusty Phillips buchuki at gmail.com
Wed Jun 1 16:12:22 EDT 2005


> This was discussed a while back - and the answer is the same old "security".
> 
> The AUR has no validation for PKGBUILDs... I could submit a PKGBUILD
> that has an install file that runs "rm -rf /" and the AUR will handle
> it just fine... an automated command to download a PKGBUILD from the
> AUR, and makepkg it without any checking, I can wipe your harddrive
> when you try to install madwifi from AUR
> 
True that AUR doesn't verify PKGBUILDs, but at least I can look at the
PKGBUILD online and decide  on what it contains. A user repository
sends binary packages; it could contain a package that rm -rf / in the
post-install and I wouldn't even have had a chance to look before the
damage was done!

cactus: I didn't mean to attack personal repositories; in the case of
you and phrakture, I've used both in the past and may continue to. But
I don't trust anybody else to build a package properly, even if they
don't mean to harm it.

For me, I'd like to see all PKGBUILDs in AUR. Then I'd like to be able
to view the PKGBUILD to verify the integrity (already easily done
online), and then be able to run a simple program that will
automatically install from AUR without me having to manually download
the pkg and makepkg it... If the pkg is in somebody's repo, I have to
edit pacman.conf, and personally, I like to keep that as simple as
possible... I hate adding repositiories so I can download just one or
two programs from them. But that might just be me. I'm remembering
days when I had a loooooooooooong list of apt-get sources that took
literally an hour to update on dialup...

lovely thing about arch is I don't even remember the file that apt-get
sources are stored in! :-)

Anyway, I hijacked your topic here... I recall phrakture had a script
to grab PKGBUILDs from AUR, so it shouldn't be hard for me to extend
this to automatically build too.

Dusty




More information about the arch-projects mailing list