[aur-requests] [PRQ#9551] Deletion Request for spinach
Alad Wenter
alad at mailbox.org
Wed Oct 25 08:55:21 UTC 2017
> However, I at present do not believe spinach is "risky." It does not source
> the PKGBUILD directly. I do not think it will allow arbitrary code
> execution before viewing unless there is a method for executing code in a
> string in Bash other than with tick marks or $(...). I would easily be
> convinced that it is risky if I could find such an example. Note that such
> things are listed in a security section in the man page. Though, as you
> said, I could (and should) change this fairly easily to use a more modern
> method.
>
You're running executable code in the hopes that you've covered every possible case with an adhoc filter. That fits the definition of "risk" pretty well.
> In my view this discussion might be more suited as a bug report for spinach
> rather than a cause for deleting the package, but delete it if you wish.
>
When I filed the request I was looking at the git history, with the latest commit in 2014 (that's long before AUR 4). Since you as the author are ostensibly still alive, I've filed an issue with possible implementations:
https://github.com/floft/spinach/issues/2
More information about the aur-requests
mailing list