> All of this assumes that people read PKGBUILDs in the first place. The 
> previous large-scale malware attacks seemed to aim at people that do not read 
> them, may it be due lack of awareness or convenience. There is perhaps an 
> educational issue here, rather than an technical.

When you have 3 different computers that have been set up for years, you might 
end up having quite a few AUR-installed packages. It takes a lot of time to 
review let's say 15 PKGBUILDs on every update. Of course I review all PKGBUILDs 
upon installation. But I don't expect them to suddenly become malicious (and 
apparently I should).

On June 17, 2026 1:22:09 PM GMT+02:00, [email protected] wrote:
>> This would change the pkgsums, wouldn't it? Not saying that's enough
>> (it's often skipped for git packages) but worth noting.
>
>It would also trigger diff since there technically is a difference in the URL. 
>However, for the uneducated user it may be hard to understand why diff would 
>flag two seemingly identical URLs. And of course, there is the risk of people 
>who freshly install the package to run into this issue.
>All of this assumes that people read PKGBUILDs in the first place. The 
>previous large-scale malware attacks seemed to aim at people that do not read 
>them, may it be due lack of awareness or convenience. There is perhaps an 
>educational issue here, rather than an technical.
>But I agree, for those that actually *do* read them it had be nice to equip 
>them with better means of detecting/explaining Homograph attacks, perhaps 
>similar to how browsers are using Punycodes.
>
>I don't know if any of this is sufficient to treat "defence-in-depth via 
>automated PKGBUILD scanners" as absolutely mandatory, especially since we had 
>yet to discuss how the actual "scanning" had look like. There seems to be some 
>attempts of heuristic-based scanning being discussed lately in the mailing 
>list but they will need more time to mature. A solution as simple as banning 
>all "untypical" characters would probably backfire. One particular example I 
>can think of is how german "Umlaute" are allowed to be used in domains and are 
>used by legitimate parties as well.
>

Reply via email to