> All of this assumes that people read PKGBUILDs in the first place. The > previous large-scale malware attacks seemed to aim at people that do not read > them, may it be due lack of awareness or convenience. There is perhaps an > educational issue here, rather than an technical.
When you have 3 different computers that have been set up for years, you might end up having quite a few AUR-installed packages. It takes a lot of time to review let's say 15 PKGBUILDs on every update. Of course I review all PKGBUILDs upon installation. But I don't expect them to suddenly become malicious (and apparently I should). On June 17, 2026 1:22:09 PM GMT+02:00, [email protected] wrote: >> This would change the pkgsums, wouldn't it? Not saying that's enough >> (it's often skipped for git packages) but worth noting. > >It would also trigger diff since there technically is a difference in the URL. >However, for the uneducated user it may be hard to understand why diff would >flag two seemingly identical URLs. And of course, there is the risk of people >who freshly install the package to run into this issue. >All of this assumes that people read PKGBUILDs in the first place. The >previous large-scale malware attacks seemed to aim at people that do not read >them, may it be due lack of awareness or convenience. There is perhaps an >educational issue here, rather than an technical. >But I agree, for those that actually *do* read them it had be nice to equip >them with better means of detecting/explaining Homograph attacks, perhaps >similar to how browsers are using Punycodes. > >I don't know if any of this is sufficient to treat "defence-in-depth via >automated PKGBUILD scanners" as absolutely mandatory, especially since we had >yet to discuss how the actual "scanning" had look like. There seems to be some >attempts of heuristic-based scanning being discussed lately in the mailing >list but they will need more time to mature. A solution as simple as banning >all "untypical" characters would probably backfire. One particular example I >can think of is how german "Umlaute" are allowed to be used in domains and are >used by legitimate parties as well. >
