Arch Linux

old_boots

Member

Registered: 2015-09-07

Posts: 5

How to check PKGBUILD when installing from AUR

I'm inexperienced in installing from the AUR
I read on the wiki:

Warning: Carefully check all files. cd to the newly created directory and carefully check the PKGBUILD and any .install file for malicious commands. PKGBUILDs are bash scripts containing functions to be executed by makepkg: these functions can contain any valid commands or Bash syntax, so it is totally possible for a PKGBUILD to contain dangerous commands through malice or ignorance on the part of the author. Since makepkg uses fakeroot (and should never be run as root), there is some level of protection but you should never count on it. If in doubt, do not build the package and seek advice on the forums or mailing list.

Could more experienced users offer some additional insight here? I understand bash scripts can do bad things, and I'd be dumb to run a PKGBUILD containing the line

rm -rf /

But are there any other red flags to look out for? Like, actually malicious PKGBUILDs that people have encountered? Or perhaps, if the script is more than X lines long that would be very rare and deserve extra scrutiny.

boban_dj

Member

Registered: 2015-03-17

Posts: 150

Re: How to check PKGBUILD when installing from AUR

Its good to read about makepkg https://wiki.archlinux.org/index.php/Makepkg to take your fear away and understand about PKGBUILD.
I never encountered any thing maliciuos from the AUR. If in doubt read the PKGBUILD before you install?

x33a

Forum Fellow

Registered: 2009-08-15

Posts: 4,587

Re: How to check PKGBUILD when installing from AUR

@old_boots, here are a couple of points to help you out.

* You need to be proficient with bash.
* Make sure to not use any AUR helper which fully automates installation, otherwise you wouldn't get to inspect the contents.
* Verify that the packages are being downloaded from legitimate upstream sources.
* If there is any patch included, be sure to inspect that.