On Wed, Feb 27, 2019 at 2:10 AM alad via aur-general <[email protected]> wrote: > I haven't read all the documentation for this project, but noticed some > oddities. Your build service appears to build AUR packages in full > automation using "yay -Syu --noconfirm". [4] While I'm sure you took the > necesseary precautions to protect your _servers_ from arbitrary code > execution, users are still at risk. > > For example, even when the build happens on your server, the .install > file contains arbitrary code, which is run by pacman as root, on > installation of the built package on the user's host. And it's unlikely > a user will extract a .pkg.tar.xz, just to verify that the .install file > does nothing strange.
Sorry for jumping in here but that feels like a discussion about the merits of idempotent and declarative package management more than a discussion about TU practices. The security and technical concerns for CI/build services are different to end-user desktops… > Not to mention how your service hit the AUR rate limit, due to the > choice of the one (from 18!) AUR helpers inefficient enough to cause > this. [5] I guess this is "fixed" now, but it leaves a bad taste > nonetheless. I'm curious why a user/developer reaching out about an issue leaves a bad taste. J. Leclanche
