[arch-projects] mBira project

[Jason Chu]

On Wed, Jun 01, 2005 at 02:29:37PM -0500, Aaron Griffin wrote:
> On 6/1/05, Dusty Phillips <buchuki at gmail.com> wrote:
> > Since AUR can contain unofficial PKGBUILDs, I question the utility of
> > this? Why don't users with binary package dbs submit the packages to
> > AUR instead.
> > 
> > The answer, of course, will be "because they have to build the
> > packages themselves". To this end, I think a script based on sourcepac
> > that automatically downloads PKGBUILDs and builds them would be more
> > useful.
> 
> This was discussed a while back - and the answer is the same old "security".
> 
> The AUR has no validation for PKGBUILDs... I could submit a PKGBUILD
> that has an install file that runs "rm -rf /" and the AUR will handle
> it just fine... an automated command to download a PKGBUILD from the
> AUR, and makepkg it without any checking, I can wipe your harddrive
> when you try to install madwifi from AUR

There's a subtlety here that I think you've missed.  The AUR can have
contributions from anyone, with very weak-grained (opposite of
fine-grained) control over who's packages you see.  Essentially it'd be one
huge personal repo that anyone could submit to.  You have to trust everyone
in existence if you trusted a random package from AUR.

A personal repo is usually run by a single person.  It's fairly easy to
say if you trust that one person's packages or not.

By using a personal repo, I'm implicitly trusting the maintainer of that
repo.  By using a automatic-package-installing AUR, I'm implicitly trusting
anyone with enough brains to create an AUR account.

Jason

-- 
If you understand, things are just as they are.  If you do not understand,
things are just as they are.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/arch-projects/attachments/20050601/4c71f088/attachment.pgp>