Hi David,
In the AUR case, any source scanning would have to be added as part of the makepkg process, and compute required would just be part of the build process if something like that is even doable.Fyi, there’s some experimental work in progress (private, not endorsed by Arch developers) to add pluggable, user-controlled upstream source auditing to makepkg. [1] [2]
Regards Claudia[1]: https://gitlab.archlinux.org/auerhuhn/libmakepkg-srcaudit/-/blob/main/README.md
[2]: https://gitlab.archlinux.org/auerhuhn/libmakepkg-hexora/-/blob/main/README.md
OpenPGP_0xD11E9FC4F7C9DA3C.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
