[aur-general] Trusted user application: Drew DeVault
Jerome Leclanche
jerome at leclan.ch
Wed Feb 27 01:17:44 UTC 2019
On Wed, Feb 27, 2019 at 2:10 AM alad via aur-general
<aur-general at archlinux.org> wrote:
> I haven't read all the documentation for this project, but noticed some
> oddities. Your build service appears to build AUR packages in full
> automation using "yay -Syu --noconfirm". [4] While I'm sure you took the
> necesseary precautions to protect your _servers_ from arbitrary code
> execution, users are still at risk.
>
> For example, even when the build happens on your server, the .install
> file contains arbitrary code, which is run by pacman as root, on
> installation of the built package on the user's host. And it's unlikely
> a user will extract a .pkg.tar.xz, just to verify that the .install file
> does nothing strange.
Sorry for jumping in here but that feels like a discussion about the
merits of idempotent and declarative package management more than a
discussion about TU practices. The security and technical concerns for
CI/build services are different to end-user desktops…
> Not to mention how your service hit the AUR rate limit, due to the
> choice of the one (from 18!) AUR helpers inefficient enough to cause
> this. [5] I guess this is "fixed" now, but it leaves a bad taste
> nonetheless.
I'm curious why a user/developer reaching out about an issue leaves a bad taste.
J. Leclanche
More information about the aur-general
mailing list