You are not logged in.
Pages: 1
Hi,
First Submitted: Thu, 06 Dec 2007 16:55:19 +0000
gnubg 20090412-1 : Backgammon
( Unsupported package: Potentally dangerous ! )
==> Edit the PKGBUILD (highly recommended for security reasons) ? [Y/n]("A" to abort)
==> ----------------------------------------------
==>
What am I supposed to do about it?
Offline
I believe it tries to say that blindly (i.e. without checking PKGBUILDs and .install files) installing software from AUR isn't a good idea.
Last edited by lucke (2009-06-09 15:00:54)
Offline
I believe it tries to say that blindly (i.e. without checking PKGBUILDs and .install files) installing software from AUR isn't a good idea.
Ah... What am I supposed to spot there? Trojan's banner?
Offline
Things like "rm -rf /"?
Offline
Ah... What am I supposed to spot there? Trojan's banner?
rm -rf /
in the build function for example ;-)
Offline
in the build function for example ;-)
It would have to be in the .install file to do any tangible harm unless you run makepkg as root for some strange reason.. although I'm sure the package would be a dud anyway if they did put that in the PKGBUILD.
Last edited by tdy (2009-06-09 19:06:44)
Offline
Army wrote:in the build function for example ;-)
It would have to be in the .install file to do any tangible harm unless you run makepkg as root for some strange reason.. although I'm sure the package would be a dud anyway if they did put that in the PKGBUILD.
Of course you are right ;-) But I would hate to lose all my files in home ;-)
Offline
I'm not sure how fakeroot is supposed to work, but I did manage to delete a dir in / from within build().
Offline
On top of the install files, it's always a good idea to know where software is coming from. Anyone can submit anything to AUR with sources that are malware, knowingly or not. There's a very real risk of users voluntarily installing rouge software, and as Linux becomes more popular, we'll so more and more repos full of this garbage.
*** The greatest risk that Linux will become like Windows comes from it's user base ***
Offline
On top of the install files, it's always a good idea to know where software is coming from. Anyone can submit anything to AUR with sources that are malware, knowingly or not. There's a very real risk of users voluntarily installing rouge software, and as Linux becomes more popular, we'll so more and more repos full of this garbage.
That's obvious. The question is, how much can I see looking into a port from AUR. What kind of effort is worth putting into it?
Offline
What kind of effort is worth putting into it?
well that's a question only you can answer.. the amount of effort depends on how safe you want to be..
Offline
I'm not sure how fakeroot is supposed to work, but I did manage to delete a dir in / from within build().
From the fakeroot man page:
fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation.
Fakeroot only makes you appear to have root privileges. A PKGBUILD could potentially destroy anything that your user has access to.
If you want complete peace of mind, you should build under a special build user that doesn't have access to anything important.
I think that if we keep diligent on security there'll be less motivation for people to submit malicious PKGBUILDs. If we're soft on security, then it'll be easier to affect the system, and there may be more motivation to create bad PKGBUILDs.
Offline
What you really want to spot, is stupid things in the PKGBUILDs like:
rm -r /usr/include/foobar/*
cp $srcdir/foobar.so /usr/lib/foobar.so.5
instead of:
rm -r $pkgdir/usr/include/foobar/*
cp $srcdir/foobar.so $pkgdir/usr/lib/foobar.so.5
Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest
Offline
Pages: 1