| ▲ | Vexs 2 hours ago | |||||||
> You have to review the source of every PKGBUILD from the AUR you install, full stop I don't really think this is a solution- the usual workflow for these attacks has been to hide your payload in some dependency. This one is somewhat unusual in that it's just a very lazy `npm install` in the pkgbuild. Pretty much every package repository even outside of AUR has this issue now, and it's not really viable to audit the entire dep chain by hand. Mind you, I don't have a solution either. | ||||||||
| ▲ | kpcyrd 2 hours ago | parent [-] | |||||||
This is an "in addition to" problem though, not an "instead of" problem. Having code reviewed the PKGBUILD doesn't mean the upstream software is safe to use, having reviewed the upstream software and it's dependency tree doesn't mean the PKGBUILD is safe to use. | ||||||||
| ||||||||