On 7/8/26 15:52, [email protected] wrote: > Hi List, Hi Lenucksi,
> [...] > > b) Enforcing isolated chroot building of packages (or at least promoting > what already exists) > > To my understanding the blast radius of the 14th of June campaign could > have been limited to a good degree by enforcing the building of the > PKGBUILD in a chroot/container/nspawn etc that is properly isolated > against the host system it runs on. Building packages in chroots has many benefits, but it wouldn’t have helped here. The malicious commands were in install files, so they were executed when installing the package (as root on the host), not when building it. The main benefit of building in chroots is build isolation, e.g. so that the build fails when dependencies are present on the host but missing in depends. > Of course, if the resulting package is infected past the build process > and then does its ill work after / when being installed, this is of no > help. I did find the devtools > (https://gitlab.archlinux.org/archlinux/devtools) package, its pkgctl > tool and of course the more recent AUR helpers such as paru have an > optional --chroot parameter. > > However none of it is default, advertised properly or promoted as a good > / best practice even though upon trying those they all worked quite > well, didn't really take excessive amounts of disk space and didn't > really extend the time to build and AUR package that much. > > [...] > > Cheers, > > Lenucksi Best, Jonathan
OpenPGP_signature.asc
Description: OpenPGP digital signature
