danirod

Always read your PKGBUILDs →

Dani Rodríguez

If you don’t read the PKGBUILD file whenever you download something from the AUR repositories, you are exposing yourself to terrible security issues, as the world has recently seen.

Malware was spotted in the AUR repositories of Arch Linux last week. Someone modified the PKGBUILD of a package to add a curl call in the script file, as can be seen here (as long as they don’t purge the blob object from the repository, because they stripped out the commit from the history).

I would file this tip in the same category as “don’t just curl bash pipe stuff you find at GitHub”, but it’s getting late and I don’t have time for entering in the rabbit hole argument of where do we put the limit on trusting the software and the installers we put in our machines.

Disclaimer: este post forma parte de mi linklog. Haz clic aquí o en el título del post para ver el contenido original. La intención al compartir un enlace es informativa y no puedo garantizar la exactitud del contenido enlazado. Más información.

Enlace permanente Marcador presente en Linklog (ATOM)