You are not logged in.
According to the wiki,
Carefully check the PKGBUILD, any .install files, and any other files in the package's git repository for malicious or dangerous commands
How do I go about verifying the validity of binary files or image files?
Last edited by ThoughtBubble (2024-10-27 23:11:21)
Offline
According to the wiki,
Carefully check the PKGBUILD, any .install files, and any other files in the package's git repository for malicious or dangerous commands
How do I go about verifying the validity of binary files or image files?
Check those files against hashes provided from upstream. I do not think the AUR should be abused to distribute binary files at all. Do you have an example?
Offline
In my opinion, you should check the source code on GitHub if you are suspicious about an application, whether it’s a binary or if you prefer to compile the binary yourself during the installation process. A general rule I follow is to look at the number of stars on a project. If it has a significant number of stars, I consider installing it; if not, there’s no harm in not installing it.
Offline
I do not think the AUR should be abused to distribute binary files at all. Do you have an example?
Not for binary, specifically. Librewolf has a PNG file.
In my opinion, you should check the source code on GitHub if you are suspicious about an application, whether it’s a binary or if you prefer to compile the binary yourself during the installation process. A general rule I follow is to look at the number of stars on a project. If it has a significant number of stars, I consider installing it; if not, there’s no harm in not installing it.
In your opinion, what would be a sufficient amount of stars? Should I also take the popularity metric from the AUR search results into account?
Last edited by ThoughtBubble (2024-10-07 17:46:39)
Offline
There are several different flavors of validation / security that are relevant for AUR packages and they should not be mixed up. The quote from your initial post is encouraging users to ensure no build scripts are doing anything inappropriate. Makepkg does not source / parse / execute a png file at all, so that is simply not relevant. A malicious file could be named with a .png extension, but the only way it could do anything is if the PKGBUILD or .install file explicitly sourced or executed it - so seeing a "/bin/sh notreallyimage.png" would be a concern. But you'd see this when you inspected the PKGBUILD and install file.
So the concerns addressed by that quote, nothing but the files sourced or used by makepkg / pacman are relevant.
Other security concerns would apply to the image file, but these are addressed via other means (including the checksum and an implicit degree of trust of the maintainer of the package).
That said, images generally should not be uploaded to the AUR. An icon not available elsewhere might be a grey-zone and almost exception. Really though, if it's just an icon, it should be trivial to find a copy of it on the web somewhere and use that url rather than the image itself.
Last edited by Trilby (2024-10-07 18:53:47)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
ThoughtBubble wrote:According to the wiki,
Carefully check the PKGBUILD, any .install files, and any other files in the package's git repository for malicious or dangerous commands
How do I go about verifying the validity of binary files or image files?
Check those files against hashes provided from upstream. I do not think the AUR should be abused to distribute binary files at all. Do you have an example?
This refers to those sha512/sha256 sums correct? What commands do I type in to check my file against my hash?
Offline
sha512 and sha256 are each executables to do just that. But again, you're really barking up the wrong tree here. Makepkg checks the validity of these files for you already. There is no reason to do this manually.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
sha512 and sha256 are each executables to do just that. But again, you're really barking up the wrong tree here. Makepkg checks the validity of these files for you already. There is no reason to do this manually.
I want to manually enter the source URL on my browser to download a .tar file. Then I want to examine the contents inside safely.
The reason why I want to do this is because the official repository is hosted in one place, but this source file comes from another place.
Offline
I'm not sure how that comment has any relevance to what you quoted. Makepkg will run the checksums for you. Why would you go though all these manual steps to end up doing exactly what makepkg will do with a single command?
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
I finally understand what you are saying. I just need to run the makepkg command.
Offline