[aur-general] Tarball Guidelines
Lukáš Jirkovský
l.jirkovsky at gmail.com
Mon Dec 6 07:46:04 CET 2010
>
> The problem is that namcap's implementation is not meant for untrusted
> PKGBUILDs. Sourcing those build files is a big security flaw, so we
> can't do that for the AUR.
>
We can create minimal chroot with bash and namcap only. It would
require changes to the infrastructure but it could improve the
PKGBUILDs in AUR a lot.
Here's how it could work:
* user uploads tarball with a package to AUR, the tarball is moved to
the "staging area".
* uploader can see his/her (I wonder how many girls are here :-))
package in AUR interface immediately – this is mostly to prevent
consecutive uploads of the same package. Other users can't see it
until it's checked by namcap.
* create the chroot and check the package using namcap. then of course
clean the chroot
* if there are errors in the package send email/other notification to
the uploader. Otherwise the package is made available to public.
-> it could be interesting to made namcap results available too. The
package "Package Details" could include namcap log somewhere.
More information about the aur-general
mailing list