This is not the right place to suggest that but I was wondering why it possible to run command like `npm install ...` or `bun install ...` in a pre/post_install hook.
I don't make a lot of package but I don't think this is really needed, and my idea is that pacman could block the use of such problematic command in any install file/hooks. The command being the problematic npm/bun/pip and so on ... If the pacman's devs are not willing to do that, that could be done on AUR, where such a package could be flagged as problematic/dangerous with a lot of warning, whatever. You don't need AI to do that This will only cover what we have seen in the recent wave of attack, but that is an idea to develop, may be, into something else? Le sam. 13 juin 2026 à 19:07, David C Rankin <[email protected]> a écrit : > > On 6/13/26 4:30 AM, Michael Shaw wrote: > > This merely pushes the issue of trust down the line a couple years. > > and would solve 99.99% of the malware problem. > > If a bad actor is willing to wait 1, 2, 3 years just to deliver malware > -- they are going to get you one way or another.... > > -- > David C. Rankin, J.D.,P.E.
