How to Review an AUR Package

(bertptrs.nl)

33 points by exploraz3 days ago

1 comments

  • yjftsjthsd-h1 hour ago
    &gt; Build scripts should not run sudo or anything similar. If it does that anyway, it’s wrong. At best, it’s a packaging error, as sudo shouldn’t be expected to work in a non-interactive environment like a build chroot. Sometimes a packager mistakenly tries to move package files into place instead of adding them to the package.<p>Something I&#x27;ve noticed over time is that security and quality are connected, not inherently but in that there&#x27;s a lot of overlap. Reviewing an AUR package <i>should</i> include making sure that it doesn&#x27;t use sudo and doesn&#x27;t move files into place directly because that&#x27;s a possible flag for malicious behavior. But equally, sudo is unreliable in the build environment (&quot;sudo shouldn’t be expected to work in a non-interactive environment like a build chroot&quot;), and trying to directly place files instead of packaging them means the package won&#x27;t upgrade, downgrade, or uninstall cleanly, and won&#x27;t properly attribute files when you ask the system what owns them. I don&#x27;t know how well it generalizes, but heuristically I&#x27;ve moved toward viewing security and quality as sufficiently overlapping that they can be treated as a single area.
    • idle_zealot9 minutes ago
      &gt; I&#x27;ve moved toward viewing security and quality as sufficiently overlapping that they can be treated as a single area.<p>Quality implies knowledge, understanding, and the willingness to use them. Security is the same, but for the narrowed domain of security best-practices and common vulnerabilities. It&#x27;s possible for something superficially high-quality to be insecure, but that implies that whoever made it either has extremely lopsided experience, or left the vulnerabilities in intentionally or knowingly. Of course, security is a particularly tricky domain, so even a fairly talented and good-intentioned developer is likely to make some missteps. Those missteps, I&#x27;d say, qualify as lapses in quality. I&#x27;d be damned surprised, on the other hand, to find that something low-quality is secure, and would assume that any such security is the product of a happy accident or sheer simplicity of the software, and is more likely than not to be lost as it grows and changes.