[aur-general] Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Ralf Mardorf ralf.mardorf at alice-dsl.net
Sun Jul 2 08:56:58 UTC 2017

On Sun, 2 Jul 2017 03:49:10 -0400, Eli Schwartz via aur-general wrote:
>... That is entirely up to the maintainer of said package.


yes and this shouldn't change. I just want to suggest to be responsible
and add a note.

>Even if it weren't entirely up to the maintainer to pin comments, who
>are you proposing should be responsible for determining what packages
>should come with warnings, and then providing such warnings? And what
>makes you think people will *see* those warnings for packages that are
>typically not installed on their own, but as dependencies for something

Apart from the risks mentioned, if you e.g. google for webkit+CVE+linux
and similar search terms, we could assume that if a package gets
dropped from official Arch repositories and from other distros as well
for security reasons, those reasons are high security risks that never
or much to seldom get fixed.

If upstream is aware of such issues, they usually try to get rid of
such a dependency or at least allow to build without webkit or any
other high risk vulnerable software, so Arch repositories provide
claw-mail without the fancy plugin, provide guitaerix2 compiled without
webkit and browsers based upon webkit are removed from the Arch Wiki
lists of applications,
https://wiki.archlinux.org/index.php/List_of_applications/Internet#WebKit-based ,
even while they still might be available by the AUR, at least xombrero
still is. So AUR PKGBUILDs like qtwebkit, webkitgtk and webkitgtk2 are
easy to identify as objectively highly risky. If other high risk
vulnerable software is provided, it would be easy for the maintainer to
identify this software as well.

If software, as the mentioned webkit is discussed for more than a year
and they e.g. were on an Arch phasing out todo list, before they were
completely removed from official repositories, it's not that much a
subjective opinion.

Ok, using an AUR helper like yaourt would displays the latest
comments only, but not pinned comments. With or without an AUR helper,
it doesn't harm to care a little bit about comments, as well as pinned
comments, instead of building everything without care. Maybe a comment
add to the PKGBUILD of high risk vulnerable software could be
done, too.

"Warning: Carefully check all files. Carefully check the PKGBUILD and
any .install file for malicious commands." -

So we could assume that users tend to take a look at the PKGBUILD and
would notice a warning. The PKGBUILD even could provide a msg. Messages
not necessarily are limited to information such as

  msg "applying patch-${_pkgver}"

it also could provide a warning.


More information about the aur-general mailing list