I dared to publish atomdrift-scan as a package to AUR, I would be gracious
if you could eyeball it and say if you think it's fine

Best,
Pasha

On Mon, 15 Jun 2026 at 12:15, Pasha Finkelshtein <
[email protected]> wrote:

> Scanning built packages of scary because it requires building, which can
> involve malicious actions, but probably need to perform 2-pass scanning:
> pkgbuild-build-scan binary
>
> Pasha Finkelshteyn
> Developer Advocate [image: Logo] <https://bell-sw.com/>
> Mobile: +49 1525 981-7123
> Email: [email protected]
> bell-sw.com   [image: facebook icon] <https://www.facebook.com/asm0dey>   
> [image:
> twitter icon] <https://twitter.com/asm0di0>   [image: linkedin icon]
> <https://www.linkedin.com/in/asm0dey>   [image: instagram icon]
> <https://www.instagram.com/asm0dey>   [image: telegram icon]
> <https://t.me/asm0dey>
>
> On Mon, 15 Jun 2026, 12:07 Thomas Stromberg, <[email protected]> wrote:
>
>>
>>
>> On Mon, Jun 15, 2026 at 2:12 AM Pasha Finkelshtein <
>> [email protected]> wrote:
>>
>>> Hi Thomas,
>>>
>>> First of all, thank you for what you're doing, it looks amazing!
>>>
>>
>> Thanks! It's been truly a labor of love.
>>
>>
>>> Second, I'm not a maintainer, just a mere user. As a mere user, I'd love
>>> to have some kind of cli tool, that could scan package for me before I
>>> build/install it.
>>>
>>
>> That's available:
>>
>> git clone https://codeberg.org/atomdrift/scan.gitcd scan
>> make install
>>
>> ascan fs /path/to/aur
>>
>> That will recursively scan a path - containing an AUR or whatever -
>> including within archives (if it doesn't work - let me know). Unlike most
>> tools, Atomdrift reverse-engineers both code and binary content, applying
>> common rules to both.
>>
>> One important limitation: AS does not yet follow external file references
>> (other packages, URLs), but it does detect unusual external references,
>> which have flagged many of the AUR attacks. I'm working on the external
>> refs feature as we speak; and hope to have the initial
>> implementation added behind a --fetch flag later today.
>>
>> Third, I'm not sure how Atomdrift works, but the code of AUR itself is
>>> also open and probably you might see a way how to integrate scanning into
>>> the pipeline?  Like when someone committs an update to a package, it runs
>>> thru Atomdrift.
>>>
>>
>> Yup, that should entirely be possible! At Chainguard, we deployed a
>> similar sort of tool as part of our code review process. The more
>> interesting part of the tooling that is yet to be released is differential
>> analysis (you can get a preview by the diff subcommand in
>> https://codeberg.org/atomdrift/cleave) - that's where things get really
>> exciting for this use case. That will then flag the interesting
>> xzutils-inspired question: why did a v1.0.0 -> v1.0.1 bump yield a 93%
>> behavioral change?
>>
>>
>>>
>>> Best,
>>> Pasha
>>>
>>> Pasha Finkelshteyn
>>> Developer Advocate [image: Logo] <https://bell-sw.com/>
>>> Mobile: +49 1525 981-7123
>>> Email: [email protected]
>>> bell-sw.com   [image: facebook icon] <https://www.facebook.com/asm0dey>
>>>   [image: twitter icon] <https://twitter.com/asm0di0>   [image:
>>> linkedin icon] <https://www.linkedin.com/in/asm0dey>   [image:
>>> instagram icon] <https://www.instagram.com/asm0dey>   [image: telegram
>>> icon] <https://t.me/asm0dey>
>>>
>>> On Mon, 15 Jun 2026, 04:43 Thomas Stromberg, <[email protected]> wrote:
>>>
>>>> [resending as my e-mail yesterday went to the moderation queue]
>>>>
>>>> I've been building out an open-source platform for supply-chain
>>>> detection over the last 6 months, based on my previous work at Chainguard.
>>>> While it's still a work in progress, the recent attacks have tipped my
>>>> hand, so here it goes: https://atomdrift.org/ (Apache 2.0)
>>>>
>>>> TL;DR - We're building an automated local reverse-engineering and
>>>> detection platform, powered by tiny local deterministic AI models,
>>>> retrained constantly based on recent attacks and threat feeds. Because it
>>>> uses other great open-source projects under the hood (tree-sitter, rizin,
>>>> etc) rather than just pattern matching, it's immune to most obfuscation
>>>> attacks.
>>>>
>>>> Atomdrift's detection is runnable via a simple rust CLI tool (
>>>> https://codeberg.org/atomdrift/scan). No special hardware required. If
>>>> you have a local LLM, we support an optimized path for getting a second
>>>> opinion from it via --interpret that provides a summary and steers
>>>> confidence levels.
>>>>
>>>> While our training pipeline has been pulling from open-source
>>>> marketplaces for months, yesterday we just started scanning AUR updates
>>>> rather than new additions, and here's an example of what it looks like:
>>>> https://lab.atomdrift.org/file/720b4275223cf0e27e60fdae069eba53b1869d44e46b8c9f09975405e75763f9
>>>>
>>>> Here's a link to the Arch pipeline results:
>>>> https://lab.atomdrift.org/arch/
>>>>
>>>> I built this to help open-source, and would love to figure out how I
>>>> can help ArchLinux with their supply chain issues - whether it's just
>>>> discussing ideas, making a sustainable alert pipeline to what is up
>>>> and running already, running the pipeline on your infra, or
>>>> collaborating on development.
>>>>
>>>> As atomdrift both emits scores and lets you tune for a specific
>>>> acceptable false-positive level, one idea for AUR could be automated review
>>>> or publishing delay based on confidence levels.
>>>>
>>>> The compute-side runs on Arch, btw.
>>>> Thomas
>>>>
>>>

Reply via email to