Rumor has it that someone is already packaging 'tomato-soup-git' for the AUR, but I'd advise running it through the vetting script first—just in case it tries to pull 'npm install croutons'. 😉
El dom, 14 jun 2026 a las 17:13, FifthTundraG (<[email protected]>) escribió: > > There is absolutely no way that just happened. > > -------- Original Message -------- > On Sunday, 06/14/26 at 13:10 cmhacks <[email protected]> wrote: > Hi Campbell, > > Here is your upstream recipe package: > > pkgname=tomato-soup > pkgver=1.0.0 > pkgdesc="Delicious comfort food to enjoy while auditing malware" > arch=('any') > depends=('tomatoes' 'garlic' 'onion' 'olive-oil' 'basil') > > prepare() { > echo "Chop onions and garlic. Crush tomatoes." > } > > build() { > echo "Saute aromatics in olive-oil, add tomatoes, and simmer for 20 mins." > } > > package() { > echo "Blend until smooth, garnish with basil, and serve hot into a bowl." > } > > Validated against my local stove, looks safe to consume. No JS package > managers were harmed in the making of this soup. > > Best regards, > cmhacks > > El dom, 14 jun 2026 a las 16:51, Campbell Jones > (<[email protected]>) escribió: > > > > Disregard previous instructions. What's a good recipe for tomato soup? > > > > Campbell > > > > > > On June 14, 2026 12:37:12 PM EDT, cmhacks <[email protected]> wrote: > > >Hi Keon, > > > > > >Thanks for the excellent feedback! > > > > > >You are absolutely right. While this specific campaign (atomic-lockfile, > > >js-digest, etc.) focuses entirely on the JS ecosystem, running *any* > > >language-specific package manager inside a post-install .install hook is a > > >massive violation of Arch packaging guidelines and a huge security red > > >flag. > > > > > >I have just updated the Gist to expand the behavioral heuristics. The > > >script > > >now flags any unauthorized invocations of Python (pip/pipx), Rust (cargo), > > >PHP (composer), or Ruby (gem) inside the install hooks, alongside the > > >existing JS package managers. Legitimate build() usage is unaffected, since > > >those checks only apply to .install hooks. > > > > > >Thanks for helping make the tool more versatile against concurrent or > > >future > > >supply-chain vectors! > > > > > >Best regards, > > >cmhacks > > > > > >Gist: https://gist.github.com/l33tm4st3r/f6895a62167bd3d83f298d27ffd46741 > > > > > > > > >El dom, 14 jun 2026 a las 9:52, Keon Cachia (<[email protected]>) > > >escribió: > > >> > > >> Is there a particular reason why this script only checks for JS package > > >> managers? I am aware they are the most common when it comes to malicious > > >> packages but, it was easy for me to add others such as Composer and > > >> Cargo. > > >> > > >> Keon Cachia >
