[arch-projects] mBira project
jason at archlinux.org
Wed Jun 1 21:59:14 EDT 2005
On Wed, Jun 01, 2005 at 02:29:37PM -0500, Aaron Griffin wrote:
> On 6/1/05, Dusty Phillips <buchuki at gmail.com> wrote:
> > Since AUR can contain unofficial PKGBUILDs, I question the utility of
> > this? Why don't users with binary package dbs submit the packages to
> > AUR instead.
> > The answer, of course, will be "because they have to build the
> > packages themselves". To this end, I think a script based on sourcepac
> > that automatically downloads PKGBUILDs and builds them would be more
> > useful.
> This was discussed a while back - and the answer is the same old "security".
> The AUR has no validation for PKGBUILDs... I could submit a PKGBUILD
> that has an install file that runs "rm -rf /" and the AUR will handle
> it just fine... an automated command to download a PKGBUILD from the
> AUR, and makepkg it without any checking, I can wipe your harddrive
> when you try to install madwifi from AUR
There's a subtlety here that I think you've missed. The AUR can have
contributions from anyone, with very weak-grained (opposite of
fine-grained) control over who's packages you see. Essentially it'd be one
huge personal repo that anyone could submit to. You have to trust everyone
in existence if you trusted a random package from AUR.
A personal repo is usually run by a single person. It's fairly easy to
say if you trust that one person's packages or not.
By using a personal repo, I'm implicitly trusting the maintainer of that
repo. By using a automatic-package-installing AUR, I'm implicitly trusting
anyone with enough brains to create an AUR account.
If you understand, things are just as they are. If you do not understand,
things are just as they are.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the arch-projects