Even reviewing PKGBUILDs, there are things that I CAN'T see, see, eg homograph attacks[1] for a package that I've not installed before (no diff highlight).
An example of a `source` array attack vector: - https://install.example-cli.dev # safe - https://іnstall.example-clі.dev # compromised See the difference? You can't. Neither can you via the terminal. Both 2nd-line `і` characters are Cyrillic (U+0456), not Latin `i`. The second URL resolves to an attacker's server. Don't believe me? Copy the 2nd url into your browser -- browsers solved this years ago, the 2nd displays as: http://xn--nstall-ovf.xn--example-cl-62i.dev/ So even if I know what sources a package should use, I may not be able to tell that they are actually being used. I believe this is yet another example as to why defence-in-depth via automated PKGBUILD scanners is needed. I care about community members with less experience than myself in reviewing PKGBUILDs. I don't (yet) know how to hook in some of the automated scanners that have been mentioned here into paru and yay pre-install hooks, but if YOU know I think it would be of great value to have this knowledge be much more widespread. I asked how to do it here: https://www.reddit.com/r/archlinux/comments/1u85cig/defense_in_depth_pkgbuild_scan_hooks_for_paru_yay/ [1] https://en.wikipedia.org/wiki/IDN_homograph_attack
