[bawolff]

And what if upstream is problematic? Even if it stops this particular attack, reading just the AUR file feels like fighting yesterday's war. I don't think advice to the effect of, just read the parts of the code that have been used in attacks in the past but blindly trust everything else, makes a lot of sense.

[exceptione]

  > And what if upstream is problematic? 

That would be the same problem for official packages. Unless I am mistaken, the difference between maintainers for the official repos versus AUR, is that the former is a trusted/vetted person. But afaik, they also just package upstream software. I doubt they will read through tons of commits to see if there might be anything nefarious there.

It would be better if software would be forced to have something like a very advanced manifest file, with requested permissions. Malware has to eventually communicate with endpoints, so a declared whitelist of endpoints should definitely be part of such a manifest. Some wrapper program could set up a namespaces that allows just what is requested. Any software that requires `endpoints = [.*]` would make it obvious to the user that it is a really dangerous piece of software. Your code editor should not ship like that.

The first thing I can think of in this direction is flatpak, but that is really coarse grained, with defaults that are very lax. Also flatpak-like solutions do not expose an api to the wrapped application, which is both a pro and a con (a con when you consider installing application plugins requiring further permissions).

[Hackbraten]

> And what if upstream is problematic?

Then don’t install the package.

It’s on you to decide whether you trust upstream or not.

You’re free to use any scanner you want on the upstream sources if it makes you feel safer. (I’m currently working on a makepkg extension that allows just that.)

The core and extra repos are curated, and every package maintainer is doing their due diligence (and more) to protect the users. But on the AUR, nobody is going to do that work for you.

[exceptione]

> doing their due diligence (and more)

Do you know how? This sounds like an unpractical high amount of time consuming task.

[embedding-shape]

It really isn't, made a short tutorial just for you (and other's): https://news.ycombinator.com/item?id=48518704

[prmoustache]

> And what if upstream is problematic?

The same as when you install any software on macos or windows, even proprietary ones, that may themselves depend on third party libraries.

At every stage of development there is a possibility of malicious code being introduced.