On 6/13/26 1:13 PM, Claudia Pellegrino wrote:
Hi David,


In the AUR case, any source scanning would have to be added as part of the makepkg process, and compute required would just be part of the build process if something like that is even doable.
Fyi, there’s some experimental work in progress (private, not endorsed by Arch developers) to add pluggable, user-controlled upstream source auditing to makepkg. [1] [2]

Regards
Claudia


[1]: https://gitlab.archlinux.org/auerhuhn/libmakepkg-srcaudit/-/blob/ main/README.md

[2]: https://gitlab.archlinux.org/auerhuhn/libmakepkg-hexora/-/blob/ main/README.md


Thank You Claudia!,

Are there other drop-in scanners planned in addition to hexora? The Readme says it scans upstream python, but what about the nodejs/npm files?

While the PKGBUILD changes can indicate the presence of a post-install install/bun file, is there a need to do similar scanning on what npm pulls down in the legitimate case? Seems both npm and pypi are frequent-flyers in the upstream package poisoning category. If hexora looks at upstream python, is it worth doing something similar for npm?

Granted, with a FORTRAN, C, C++ background, I don't understand the internals of the npm world, but I do see npm at the top of the leader-board for supply-chain compromises. If the post-install modifications pull in poisoned npm files, could a similar drop in there catch it?

Side-track/Reason

My curiosity on that issue extends to the mongosh package I co-maintain that currently relies heavily on upstream nodejs/npm and pulls in some 14,000 javascript sources. That's just the way the package works, assembling/borrowing bits of functionality from ~30 npm modules rather than actually coding the shell itself.

While that package is legitimate, it would be comforting to have some makepkg hook scan the myriad of js files it pulls in through npm independent of the AUR attack issue. Currently, the files are non-obfuscated/well-formatted, but there is no way to ensure one of them wasn't an upstream target during the build process.

That's a separate issue, but it dovetails with the current libmakepkg plug-in approach. (save the idea for later if nothing else)

  Best of luck to you all. You are doing great!

--
David C. Rankin, J.D.,P.E.

Reply via email to