Even reviewing PKGBUILDs, there are things that I CAN'T see, see, eg homograph 
attacks[1] for a package that I've not installed before (no diff highlight).

An example of a `source` array attack vector:

 - https://install.example-cli.dev   # safe
 - https://іnstall.example-clі.dev   # compromised

See the difference?  You can't.  Neither can you via the terminal.  Both 
2nd-line `і` characters are Cyrillic (U+0456), not Latin `i`. The second URL 
resolves to an attacker's server.

Don't believe me? Copy the 2nd url into your browser -- browsers solved this 
years ago, the 2nd displays as:
    http://xn--nstall-ovf.xn--example-cl-62i.dev/

So even if I know what sources a package should use, I may not be able to tell 
that they are actually being used.

I believe this is yet another example as to why defence-in-depth via automated 
PKGBUILD scanners is needed.  

I care about community members with less experience than myself in reviewing 
PKGBUILDs.  I don't (yet) know how to hook in some of the automated scanners 
that have been mentioned here into paru and yay pre-install hooks, but if YOU 
know I think it would be of great value to have this knowledge be much more 
widespread.  
I asked how to do it here:  
https://www.reddit.com/r/archlinux/comments/1u85cig/defense_in_depth_pkgbuild_scan_hooks_for_paru_yay/


[1] https://en.wikipedia.org/wiki/IDN_homograph_attack

Reply via email to