You are not logged in.
- Topics: Active | Unanswered
#1 2013-08-28 09:34:43
- darrenldl
- Member
- Registered: 2013-06-04
- Posts: 31
[SOLVED] Is using AUR safe? (particularly using yaourt )
Hi,
I've been using AUR to compile certain packages, such as psad, lynis, and I often use youart to achieve that.
I recognize there's an array of hashes in PKGBUILD which ensures the integrity of downloaded files,
but I don't see any mechanism to ensure the PKGBUILD is intact during transfer, unlike official packages
which are signed by keys.
So are you guys concerned about PKGBUILD being corrupted or modified, and as a conseqence leading your
system compromised?
Last edited by darrenldl (2013-08-28 09:45:36)
Offline
#2 2013-08-28 09:39:27
- tomk
- Forum Fellow
- From: Ireland
- Registered: 2004-07-21
- Posts: 9,839
Re: [SOLVED] Is using AUR safe? (particularly using yaourt )
From the AUR Home Page:
DISCLAIMER
Unsupported packages are user produced content. Any use of the provided files is at your own risk.
So yes, you should be concerned. The way to address this is to read every PKGBUILD before you do anything with it.
Offline
#3 2013-08-28 09:45:07
- darrenldl
- Member
- Registered: 2013-06-04
- Posts: 31
Re: [SOLVED] Is using AUR safe? (particularly using yaourt )
Alright...
I wish at least some network intrusion detection system is officially supported.
Thanks.
Offline
#4 2013-08-28 09:52:15
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: [SOLVED] Is using AUR safe? (particularly using yaourt )
Alright...
I wish at least some network intrusion detection system is officially supported.
Thanks.
You can download from the AUR with https. Make sure the connection uses the right certificate and you know that at least the transfer was secure (you could still get transfer errors, but no deliberate manipulations)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#5 2013-08-28 09:52:21
- clfarron4
- Member
- From: London, UK
- Registered: 2013-06-28
- Posts: 2,163
- Website
Re: [SOLVED] Is using AUR safe? (particularly using yaourt )
Hi,
I've been using AUR to compile certain packages, such as psad, lynis, and I often use youart to achieve that.
I recognize there's an array of hashes in PKGBUILD which ensures the integrity of downloaded files,
but I don't see any mechanism to ensure the PKGBUILD is intact during transfer, unlike official packages
which are signed by keys.So are you guys concerned about PKGBUILD being corrupted or modified, and as a conseqence leading your
system compromised?
If you're really that concerned about PKGBUILDs being intact when you install something from the AUR, you should be checking the PKGBUILD yourself.
Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository
Offline
#6 2013-08-28 09:52:40
- Mr.Elendig
- #archlinux@freenode channel op
- From: The intertubes
- Registered: 2004-11-07
- Posts: 4,092
Re: [SOLVED] Is using AUR safe? (particularly using yaourt )
Btw. The PKGBUILD is not all that you should worry about, upstream source can be compromised too, as shown multiple times, eg with unrealircd.
Last edited by Mr.Elendig (2013-08-28 09:53:48)
Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest
Offline