[aur-general] Tarball Guidelines

Lukáš Jirkovský l.jirkovsky at gmail.com
Mon Dec 6 07:46:04 CET 2010

> The problem is that namcap's implementation is not meant for untrusted
> PKGBUILDs. Sourcing those build files is a big security flaw, so we
> can't do that for the AUR.

We can create minimal chroot with bash and namcap only. It would
require changes to the infrastructure but it could improve the
PKGBUILDs in AUR a lot.

Here's how it could work:
* user uploads tarball with a package to AUR, the tarball is moved to
the "staging area".
* uploader can see his/her (I wonder how many girls are here :-))
package in AUR interface immediately – this is mostly to prevent
consecutive uploads of the same package. Other users can't see it
until it's checked by namcap.
* create the chroot and check the package using namcap. then of course
clean the chroot
* if there are errors in the package send email/other notification to
the uploader. Otherwise the package is made available to public.
  -> it could be interesting to made namcap results available too. The
package "Package Details" could include namcap log somewhere.

More information about the aur-general mailing list