|
|
|
|
|
|
by craftkiller
4 days ago
|
|
|
> It adds npm as a dependency, to a go build? Programs often invoke other programs through the exec* family of syscalls. For example, git is written in C but it ships with perl dependencies. It is not unreasonable to assume pass-cli added a runtime dependency on a program written in javascript. Regardless, we're talking hundreds of AUR packages have been compromised, I'd be shocked if none of them were javascript-based programs. Perhaps pass-cli was simply a bad example for me to choose. > It changes the contributor email? I think this is the 2nd most sus change, but even so, I have changed email addresses over the years so it isn't completely unreasonable. > in /tmp?! And yes, this is the most sus change. |
|
|
No, this in no way or shape looks like installing a legitimate dependency to the target audience (expert users). This is a package manager, you don't install dependencies via post_install.