[aur-general] Enforcing AUR package quality (was Re: Trusted user application: Drew DeVault)
alad
alad at archlinux.org
Thu Feb 28 16:41:50 UTC 2019
Am 28.02.2019 um 17:34 schrieb Jerome Leclanche:
> On Thu, Feb 28, 2019 at 5:22 PM Daniel M. Capella via aur-general
> <aur-general at archlinux.org> wrote:
>> On February 28, 2019 8:58:06 AM EST, Jerome Leclanche <jerome at leclan.ch> wrote:
>>
>> <snip>
>>
>>> OT: We should maybe have the AUR lint PKGBUILDs on git push (and
>>> reject really bad ones) if we want to improve that situation.
>>>
>>> J. Leclanche
>> I've been thinking enforcing the use of makechrootpkg and namcap on package submission should be introduced, and maybe even on major (and minor?) version bumps for packages following semver. Inb4 yes I'm aware of the number of false-positives in namcap.
>>
>> --
>> Best,
>> polyzen
> Can we give namcap's outputs error codes and blacklist some of the
> false positives?
>
> I was mostly thinking about things that can be done just by static
> analysis of the PKGBUILD, rather than anything requiring packages to
> be built, so that they can be rejected immediately during git push.
> Things such as running mksrcinfo, verifying local sources (and their
> hashes), etc.
>
> J. Leclanche
That's the issue though, how do you do static analysis of a PKGBUILD - a
random bash script which should include certain named functions and
variables - without executing it? For example, mksrcinfo simply sources
the PKGBUILD, i.e. evaluates it in bash.
The aura AUR helper has a side-project which tries to check PKGBUILDs
for "security issues" in Haskell. I'm not sure how well this approach
scales though.
https://github.com/aurapm/aura/blob/master/aura/lib/Aura/Pkgbuild/Security.hs
More information about the aur-general
mailing list