On 7/8/26 15:52, [email protected] wrote:
> Hi List,

Hi Lenucksi,

> [...]
> 
> b) Enforcing isolated chroot building of packages (or at least promoting 
> what already exists)
> 
> To my understanding the blast radius of the 14th of June campaign could 
> have been limited to a good degree by enforcing the building of the 
> PKGBUILD in a chroot/container/nspawn etc that is properly isolated 
> against the host system it runs on.

Building packages in chroots has many benefits, but it wouldn’t have
helped here. The malicious commands were in install files, so they were
executed when installing the package (as root on the host), not when
building it.
The main benefit of building in chroots is build isolation, e.g. so that
the build fails when dependencies are present on the host but missing in
depends.

> Of course, if the resulting package is infected past the build process 
> and then does its ill work after / when being installed, this is of no 
> help. I did find the devtools 
> (https://gitlab.archlinux.org/archlinux/devtools) package, its pkgctl 
> tool and of course the more recent AUR helpers such as paru have an 
> optional --chroot parameter.
> 
> However none of it is default, advertised properly or promoted as a good 
> / best practice even though upon trying those they all worked quite 
> well, didn't really take excessive amounts of disk space and didn't 
> really extend the time to build and AUR package that much.
>
> [...]
> 
> Cheers,
> 
> Lenucksi

Best,
Jonathan

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to