Hi David,

In the AUR case, any source scanning would have to be added as part of the makepkg process, and compute required would just be part of the build process if something like that is even doable.
Fyi, there’s some experimental work in progress (private, not endorsed by Arch developers) to add pluggable, user-controlled upstream source auditing to makepkg. [1] [2]

Regards
Claudia


[1]: https://gitlab.archlinux.org/auerhuhn/libmakepkg-srcaudit/-/blob/main/README.md

[2]: https://gitlab.archlinux.org/auerhuhn/libmakepkg-hexora/-/blob/main/README.md

Attachment: OpenPGP_0xD11E9FC4F7C9DA3C.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to