This is not the right place to suggest that but I was wondering why it
possible to run command like `npm install ...` or `bun install ...` in
a pre/post_install hook.

I don't make a lot of package but I don't think this is really needed,
and my idea is that pacman could block the use of such problematic
command in any install file/hooks.

The command being the problematic npm/bun/pip and so on ...

If the pacman's devs are not willing to do that, that could be done on
AUR, where such a package could be flagged as problematic/dangerous
with a lot of warning, whatever. You don't need AI to do that

This will only cover what we have seen in the recent wave of attack,
but that is an idea to develop, may be, into something else?

Le sam. 13 juin 2026 à 19:07, David C Rankin <[email protected]> a écrit :
>
> On 6/13/26 4:30 AM, Michael Shaw wrote:
> > This merely pushes the issue of trust down the line a couple years.
>
> and would solve 99.99% of the malware problem.
>
> If a bad actor is willing to wait 1, 2, 3 years just to deliver malware
> -- they are going to get you one way or another....
>
> --
> David C. Rankin, J.D.,P.E.

Reply via email to