You are not logged in.

#1 2013-08-28 09:34:43

darrenldl
Member
Registered: 2013-06-04
Posts: 28

[SOLVED] Is using AUR safe? (particularly using yaourt )

Hi,

I've been using AUR to compile certain packages, such as psad, lynis, and I often use youart to achieve that.

I recognize there's an array of hashes in PKGBUILD which ensures the integrity of downloaded files,
but I don't see any mechanism to ensure the PKGBUILD is intact during transfer, unlike official packages
which are signed by keys.

So are you guys concerned about PKGBUILD being corrupted or modified, and as a conseqence leading your
system compromised?

Last edited by darrenldl (2013-08-28 09:45:36)

Offline

#2 2013-08-28 09:39:27

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,837

Re: [SOLVED] Is using AUR safe? (particularly using yaourt )

From the AUR Home Page:

DISCLAIMER
Unsupported packages are user produced content. Any use of the provided files is at your own risk.

So yes, you should be concerned. The way to address this is to read every PKGBUILD before you do anything with it.

Offline

#3 2013-08-28 09:45:07

darrenldl
Member
Registered: 2013-06-04
Posts: 28

Re: [SOLVED] Is using AUR safe? (particularly using yaourt )

Alright...

I wish at least some network intrusion detection system is officially supported.

Thanks.

Offline

#4 2013-08-28 09:52:15

progandy
Member
Registered: 2012-05-17
Posts: 2,146

Re: [SOLVED] Is using AUR safe? (particularly using yaourt )

darrenldl wrote:

Alright...

I wish at least some network intrusion detection system is officially supported.

Thanks.

You can download from the AUR with https. Make sure the connection uses the right certificate and you know that at least the transfer was secure (you could still get transfer errors, but no deliberate manipulations)

Offline

#5 2013-08-28 09:52:21

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,162
Website

Re: [SOLVED] Is using AUR safe? (particularly using yaourt )

darrenldl wrote:

Hi,

I've been using AUR to compile certain packages, such as psad, lynis, and I often use youart to achieve that.

I recognize there's an array of hashes in PKGBUILD which ensures the integrity of downloaded files,
but I don't see any mechanism to ensure the PKGBUILD is intact during transfer, unlike official packages
which are signed by keys.

So are you guys concerned about PKGBUILD being corrupted or modified, and as a conseqence leading your
system compromised?

If you're really that concerned about PKGBUILDs being intact when you install something from the AUR, you should be checking the PKGBUILD yourself.


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#6 2013-08-28 09:52:40

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 3,721

Re: [SOLVED] Is using AUR safe? (particularly using yaourt )

http://grsecurity.net/

Btw. The PKGBUILD is not all that you should worry about, upstream source can be compromised too, as shown multiple times, eg with unrealircd.

Last edited by Mr.Elendig (2013-08-28 09:53:48)


Evil #archlinux@freenode channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

Board footer

Powered by FluxBB