> Build scripts should not run sudo or anything similar. If it does that anyway, it’s wrong. At best, it’s a packaging error, as sudo shouldn’t be expected to work in a non-interactive environment like a build chroot. Sometimes a packager mistakenly tries to move package files into place instead of adding them to the package.
Something I've noticed over time is that security and quality are connected, not inherently but in that there's a lot of overlap. Reviewing an AUR package should include making sure that it doesn't use sudo and doesn't move files into place directly because that's a possible flag for malicious behavior. But equally, sudo is unreliable in the build environment ("sudo shouldn’t be expected to work in a non-interactive environment like a build chroot"), and trying to directly place files instead of packaging them means the package won't upgrade, downgrade, or uninstall cleanly, and won't properly attribute files when you ask the system what owns them. I don't know how well it generalizes, but heuristically I've moved toward viewing security and quality as sufficiently overlapping that they can be treated as a single area.
As someone who is an AUR maintainer with at least 150+ packages, I always dread seeing new AUR packages. A lot of people don't read the packaging guidelines, don't use tools like `namcap` and `extra-x86-64-build` to test their packages, nor do they read other PKGBUILDs to write their stuff. It's pure slop, and I have wasted too much of my time fixing shitty PKGBUILDs because I wanna use that piece of software
As someone who is a maintainer of a few packages, it’s actually really hard to find references for this stuff! The wiki is pretty bare when you start looking for specifics, and like you say there’s tons of crap pkgbuilds when you try to look at what others do.
"End-users need to read and understand shell scripts to make sure they're safe" is a completely unacceptable threat model. The way I see it installing software from the AUR is about as safe as installing software from the pirate bay. Nevertheless, this distribution keeps getting discussed and recommended to people, with the AUR often cited as a reason to use it.
I am really really weary of installing anything from "user" repos, whether it's AUR or Fedora copr. It feels like the wild west. Admittedly, maintainers of Debian packages could just as easily mess up or release something malicious, but I at least get the impression that the bar is higher...
7 comments
[ 5.7 ms ] story [ 23.4 ms ] threadSomething I've noticed over time is that security and quality are connected, not inherently but in that there's a lot of overlap. Reviewing an AUR package should include making sure that it doesn't use sudo and doesn't move files into place directly because that's a possible flag for malicious behavior. But equally, sudo is unreliable in the build environment ("sudo shouldn’t be expected to work in a non-interactive environment like a build chroot"), and trying to directly place files instead of packaging them means the package won't upgrade, downgrade, or uninstall cleanly, and won't properly attribute files when you ask the system what owns them. I don't know how well it generalizes, but heuristically I've moved toward viewing security and quality as sufficiently overlapping that they can be treated as a single area.
https://www.mh4ckt3mh4ckt1c4s.xyz/blog/aur-chaos-malware-ana...