/ root / pages / pkgbuilds.html

You're using an old link! - Thankfully, you no longer need to specify a nonstandard port (8080) to access my site. You could've used the more standard: http://pbrisbin.com/pages/pkgbuilds.html.

PKGBUILDS

You may or may not know that I have a nice little utility that automates dealing with the AUR. It comes with some switches that will prompt you to edit the PKGBUILD before building anything, but by default it will just do its thing and install said package.

The script works this way becase, well, I made it. This is how I like to use it. Most smart Archers balk at this... running a PKGBUILD without reviewing it? My god man, anyone could put anything in there! Think of the children!

I don't mean to poke fun; it's a valid point, anyone could throw anything in there. But I'm not too concerned, and I'll tell you why... in excruciating paragraph form...

I guess someone could put a nice rm -rf / in a PKGBUILD. That'd eff up your day. I run makepkg as normal user, so this would amount to a whole bunch of permission denied's. No big deal.

What about rm -rf ~ then?

Yeah, that would also eff up my day. So could a whole slew of obfuscated commands. But rather than listing commands that could potentially screw up my system if placed in a build() function... I'll just say this:

Thank god for nightly backups. I will trade you the 60 minutes it would take to get back up and running in exchange for the 2 minutes per AUR PKGBUILD I would have to review to be 'safe'. Personally I'd be more worried about someone opening up some kind of back door into my system. On that note though, a) I have nothing 'sensitive' on here, and b) I hope I would notice, and close the hole or reinstall promptly.

If someone wants to take the time to put something malicious into an AUR PKGBUILD, and if somehow that goes unnoticed by the entire community of insanely smart and observant archers that I call friends... I think I'm ok with the risk.

Feel free to use the --edit option of my script, use any other AUR tool that does force editing of all PKGBUILDs, or simply do it the ol' fashion way. Choices are a plenty.

Comments





pbrisbin dot com 2010